Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

hijack this log [RESOLVED]

Started by jcdifi26 , Sep 25 2005 05:32 AM

This topic is locked

#1
jcdifi26

Posted 25 September 2005 - 05:32 AM

Member

Member
14 posts

I can't log on to a regular windows session, can only open in Safe Mode. I ran Hijack this and got this file. Any help would be appreciated

Attached Files

hijackthis9_25.txt 9.78KB 202 downloads

#2
greyknight17

Posted 25 September 2005 - 08:26 AM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

You are heavily infected there...

See if you can download Ewido in Safe Mode with Networking. If not, you will have to get it on another computer and burn it on a CD to install on this infected computer.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Download LQFix http://users.telenet...tools/LQfix.exe and click on Install. Go to your Desktop and open up the LQfix folder. Double click on ClickThis.bat to run it.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: (no name) - {00000000-0000-4C63-8C15-E6DD85A27081} - C:\Program Files\ProSiteFinder\ProSiteFinder.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshoolv.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\System32\qlink32.dll
O2 - BHO: (no name) - {C792AC21-18CF-6230-B211-460147EF2CB4} - C:\WINDOWS\System32\cbz.dll
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\qsyszr2d.exe DO0605
O4 - HKLM\..\Run: [89835ede4aee] C:\WINDOWS\System32\atiiiexx.exe
O4 - HKLM\..\Run: [zubwpau] C:\WINDOWS\zubwpau.EXE
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\System32\testit.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [mediapluscash.exe] C:\WINDOWS\System32\mediapluscash.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [fghfa] C:\WINDOWS\System32\scqrig\fghfa.exe
O4 - HKLM\..\Run: [bxtyf] C:\WINDOWS\System32\gdrajoon\bxtyf.exe
O4 - HKLM\..\Run: [ysfb] C:\WINDOWS\System32\ubntv\ysfb.exe
O4 - HKLM\..\Run: [mxmjjeo] C:\WINDOWS\System32\sfkkgl\mxmjjeo.exe
O4 - HKLM\..\Run: [jagerugg] C:\WINDOWS\System32\fbuusv\jagerugg.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe
O4 - HKLM\..\Run: [ProSiteFinder] "C:\Program Files\ProSiteFinder\ProSiteFinder.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [kjgtk49e] C:\WINDOWS\System32\kjgtk49e.exe
O4 - HKLM\..\Run: [ZStart] c:\windows\system32\oxdxregp.exe DO0605
O4 - HKLM\..\Run: [wincin] C:\DOCUME~1\COLLEE~1\LOCALS~1\Temp\w181609.Stub.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [Whcpy] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qsyszr2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temp\zxinst12.exe
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: http://Download.Windowsupdate.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.shar...ver/Install.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...tall_ap1001.cab
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} (myax Control) - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0026.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\System32\qlink32.dll
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
O23 - Service: fghfascqrig - Unknown owner - C:\WINDOWS\System32\scqrig\fghfa.exe
O23 - Service: jageruggfbuusv - Unknown owner - C:\WINDOWS\System32\fbuusv\jagerugg.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jconqwo.exe
O23 - Service: ysfbubntv - Unknown owner - C:\WINDOWS\System32\ubntv\ysfb.exe

Uninstall the following via the Add/Remove panel if listed:

topMoxie
Adware Alert
ProSiteFinder
SurfSideKick
Ebates Moe MoneyMaker
180 search assistant

Locate and delete the following:

AUNPS2.DLL
c:\program files\180search assistant\
C:\Program Files\AdwareAlert\
C:\Program Files\Common Files\mc-58-12-0000106.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
C:\Program Files\Ebates_MoeMoneyMaker\
C:\Program Files\ProSiteFinder\
C:\Program Files\SurfSideKick 3\
c:\Program Files\topMoxie\
C:\WINDOWS\jconqwo.exe
C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\
C:\WINDOWS\System32\atiiiexx.exe
C:\WINDOWS\System32\cbz.dll
C:\WINDOWS\System32\fbuusv\
C:\WINDOWS\System32\gdrajoon\
C:\WINDOWS\System32\kjgtk49e.exe
C:\WINDOWS\System32\medgs1.exe
C:\WINDOWS\System32\mediapluscash.exe
C:\WINDOWS\System32\mmxp2passion.exe
C:\WINDOWS\System32\nsvsvc\
c:\windows\system32\oxdxregp.exe
C:\WINDOWS\System32\pkshoolv.dll
C:\WINDOWS\System32\pshwr.exe
C:\WINDOWS\System32\qlink32.dll
C:\WINDOWS\SYSTEM32\qsyszr2d.exe
C:\WINDOWS\System32\scqrig\
C:\WINDOWS\System32\sfkkgl\
C:\WINDOWS\System32\stb.exe
C:\WINDOWS\System32\testit.exe
C:\WINDOWS\System32\ubntv\
C:\WINDOWS\zubwpau.EXE
repairs.dll

Do a search for ??rss.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis and Ewido.

#3
jcdifi26

Posted 28 September 2005 - 06:55 PM

Member

Topic Starter
Member
14 posts

I posted a log on here on 9/25 and got a good answer from greyknight17. I did everything he said, but I think I still have problems. I can't get updates from the windows update page and still get bombed by pop-ups. Here's my lastest hijackthis file. Any help would be appreciated. Thanks Joe

Logfile of HijackThis v1.99.1
Scan saved at 8:47:15 PM, on 09/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\COLLEEN CURRAN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yoursearchspace.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yoursearchspace.com/sp2.php
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [zubwpau] C:\WINDOWS\zubwpau.EXE
O4 - HKLM\..\Run: [ysfb] C:\WINDOWS\System32\ubntv\ysfb.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\System32\testit.exe
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [mxmjjeo] C:\WINDOWS\System32\sfkkgl\mxmjjeo.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [mediapluscash.exe] C:\WINDOWS\System32\mediapluscash.exe
O4 - HKLM\..\Run: [Media Gateway] C:\DOCUME~1\COLLEE~1\LOCALS~1\Temp\MediaGateway.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [kjgtk49e] C:\WINDOWS\System32\kjgtk49e.exe
O4 - HKLM\..\Run: [jagerugg] C:\WINDOWS\System32\fbuusv\jagerugg.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [fghfa] C:\WINDOWS\System32\scqrig\fghfa.exe
O4 - HKLM\..\Run: [bxtyf] C:\WINDOWS\System32\gdrajoon\bxtyf.exe
O4 - HKLM\..\Run: [azwnqtiv] C:\WINDOWS\azwnqtiv.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [89835ede4aee] C:\WINDOWS\System32\atiiiexx.exe
O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Whcpy] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qsyszr2d.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\instant messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} (Verizon Broadband Toolbar) - http://www2.verizon....oolbar/vzbb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126230373812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127595346765
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\URIB.DLL
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fghfascqrig - Unknown owner - C:\WINDOWS\System32\scqrig\fghfa.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jageruggfbuusv - Unknown owner - C:\WINDOWS\System32\fbuusv\jagerugg.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jconqwo.exe (file missing)
O23 - Service: ysfbubntv - Unknown owner - C:\WINDOWS\System32\ubntv\ysfb.exe (file missing)

#4
greyknight17

Posted 29 September 2005 - 04:21 PM

Malware Expert

Visiting Consultant
16,560 posts

Don't worry about it. I will be helping you on this problem till the end :tazz:

Where is the Ewido log? You should have posted that too. No problem, I will ask you to run it again since a lot of these still seem to remain even after the initial fix.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido. If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

Download LQFix http://users.telenet...tools/LQfix.exe and click on Install. Go to your Desktop and open up the LQfix folder. Double click on ClickThis.bat to run it.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Internet Optimizer
180search assistant
AdwareAlert
SurfSideKick 3

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yoursearchspace.com/sp2.php
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [zubwpau] C:\WINDOWS\zubwpau.EXE
O4 - HKLM\..\Run: [ysfb] C:\WINDOWS\System32\ubntv\ysfb.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\System32\testit.exe
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [mxmjjeo] C:\WINDOWS\System32\sfkkgl\mxmjjeo.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [mediapluscash.exe] C:\WINDOWS\System32\mediapluscash.exe
O4 - HKLM\..\Run: [Media Gateway] C:\DOCUME~1\COLLEE~1\LOCALS~1\Temp\MediaGateway.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [kjgtk49e] C:\WINDOWS\System32\kjgtk49e.exe
O4 - HKLM\..\Run: [jagerugg] C:\WINDOWS\System32\fbuusv\jagerugg.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [fghfa] C:\WINDOWS\System32\scqrig\fghfa.exe
O4 - HKLM\..\Run: [bxtyf] C:\WINDOWS\System32\gdrajoon\bxtyf.exe
O4 - HKLM\..\Run: [azwnqtiv] C:\WINDOWS\azwnqtiv.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [89835ede4aee] C:\WINDOWS\System32\atiiiexx.exe
O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Whcpy] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qsyszr2d.exe
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\URIB.DLL
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
O23 - Service: fghfascqrig - Unknown owner - C:\WINDOWS\System32\scqrig\fghfa.exe (file missing)
O23 - Service: jageruggfbuusv - Unknown owner - C:\WINDOWS\System32\fbuusv\jagerugg.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jconqwo.exe (file missing)
O23 - Service: ysfbubntv - Unknown owner - C:\WINDOWS\System32\ubntv\ysfb.exe (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Internet Optimizer\
c:\program files\180search assistant\
C:\Program Files\AdwareAlert\
C:\Program Files\Common Files\mc-58-12-0000106.exe
C:\Program Files\rdso\
C:\Program Files\SurfSideKick 3\
C:\WINDOWS\azwnqtiv.exe
C:\WINDOWS\jconqwo.exe
C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\
C:\WINDOWS\System32\atiiiexx.exe
C:\WINDOWS\System32\fbuusv\
C:\WINDOWS\System32\gdrajoon\bxtyf.exe
C:\WINDOWS\System32\kjgtk49e.exe
C:\WINDOWS\System32\medgs1.exe
C:\WINDOWS\System32\mediapluscash.exe
C:\WINDOWS\System32\mmxp2passion.exe
C:\WINDOWS\System32\pshwr.exe
C:\WINDOWS\SYSTEM32\qsyszr2d.exe
C:\WINDOWS\System32\scqrig\
C:\WINDOWS\System32\sfkkgl\
C:\WINDOWS\System32\stb.exe
C:\WINDOWS\System32\testit.exe
C:\WINDOWS\System32\ubntv\
C:\WINDOWS\system32\URIB.DLL
C:\WINDOWS\zubwpau.EXE
repairs.dll

Do a search for ??rss.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Run Ewido scan again. When it's done, click on the Save Report button.

Restart and run a new HijackThis scan. Save the log file and post it here along with the Ewido report you saved earlier.

#5
jcdifi26

Posted 30 September 2005 - 04:37 AM

Member

Topic Starter
Member
14 posts

This is a follow up post from greyknight17's 9/29 reply to me. I'm not sure if I'm suppose to reply to his message or start a new post. Since I couldn't locate his reply I'm just going to follow up with a new post. First, thank you for all your help it's greatly appreciated. I followed your directions from your last post and here are the results of the Ewido and HijackThis files. The only thing I could not get rid of was the C:\Windows\system32\URIB.DLL file. It said it was in use by another program or user.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:54:54 AM, 09/30/2005
+ Report-Checksum: C496C49D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Error during cleaning
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Error during cleaning
HKU\S-1-5-21-1850456698-2437969446-162025716-1007\Software\IST -> Spyware.ISTBar : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen curran@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen curran@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen curran@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen curran@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen curran@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen curran@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temp\!update.exe -> TrojanDownloader.PurityScan.af : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temp\nsh_116.exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temp\ptf_0002.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temporary Internet Files\Content.IE5\4H0JELYH\installcasino[1].exe -> Spyware.Casino : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temporary Internet Files\Content.IE5\4H0JELYH\trk_0002[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temporary Internet Files\Content.IE5\4H0JELYH\trk_0026[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temporary Internet Files\Content.IE5\KLMXWXG1\nsh_116[1].exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temporary Internet Files\Content.IE5\U1QXMBOJ\!update-2595[1].0000 -> TrojanDownloader.PurityScan.af : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temporary Internet Files\Content.IE5\U1QXMBOJ\trk_0030[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe -> Spyware.Pacer : Cleaned with backup
C:\RECYCLER\S-1-5-21-1850456698-2437969446-162025716-1007\Dc12\eetu.exe -> TrojanDownloader.PurityScan.af : Cleaned with backup
C:\RECYCLER\S-1-5-21-1850456698-2437969446-162025716-1007\Dc15.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222070.exe -> Spyware.Xupiter : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222071.dll -> Spyware.Nomeh : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222072.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222073.dll/gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222074.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222075.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222076.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222077.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222078.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222079.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222080.dll -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222081.exe -> Spyware.AdURL : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222082.exe -> TrojanDropper.Agent.vl : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222083.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222084.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222085.exe -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222086.exe -> Spyware.RK : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222087.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222088.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222089.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222090.exe -> Spyware.BookedSpace.e : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222091.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222092.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222093.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222094.exe -> Adware.Saha : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222095.dll -> Adware.Saha : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222096.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222097.exe -> TrojanDownloader.VB.jl : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222098.dll -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222099.exe -> Spyware.ISearch : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222100.exe -> Spyware.ISearch : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222101.exe -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222102.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222103.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222104.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222105.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222106.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222107.exe -> Trojan.Zx.12 : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222108.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222109.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222110.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222111.dll -> Spyware.RK : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222112.exe -> Trojan.Popmon.a : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222113.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222114.exe -> Trojan.Popmon.a : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222115.exe -> Spyware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222116.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222116.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222117.exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222118.exe -> TrojanDownloader.VB.pn : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222151.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222185.exe -> Spyware.Maxifiles : Cleaned with backup
C:\temp\Installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\ptf_0026.exe -> Spyware.Pacer : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 6:18:52 AM, on 09/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\COLLEEN CURRAN\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {41F71A10-F9F4-8D07-DBB3-F90A775DA5B9} - C:\WINDOWS\System32\glr.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\instant messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} (Verizon Broadband Toolbar) - http://www2.verizon....oolbar/vzbb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126230373812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127595346765
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\URIB.DLL
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fghfascqrig - Unknown owner - C:\WINDOWS\System32\scqrig\fghfa.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

#6
greyknight17

Posted 30 September 2005 - 04:06 PM

Malware Expert

Visiting Consultant
16,560 posts

I'm helping you here. My reply is right above your previous one. You are doing it correctly by posting a reply like you are doing now. Do NOT create a new post since we have this topic open.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop cmdService
sc delete cmdService
sc stop fghfascqrig
sc delete fghfascqrig
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Go into HijackThis->Config->Misc Tools->Delete an NT service and type in cmdService and hit OK. Do the same thing for fghfascqrig (if it fails, just continue on anyway with the remaining fixes below...).

Go to Start->Run and type in services.msc and hit OK. Then look for Command Service (cmdService) and double click on it. Click on the Stop button and under Startup type, choose Disabled. Do the same thing for fghfascqrig if found.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ and delete {0019C3E2-DD48-4A6D-ABCD-8D32436323D9}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete IObjSafety.DemoCtl

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Check and fix these in HijackThis:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {41F71A10-F9F4-8D07-DBB3-F90A775DA5B9} - C:\WINDOWS\System32\glr.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\URIB.DLL
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
O23 - Service: fghfascqrig - Unknown owner - C:\WINDOWS\System32\scqrig\fghfa.exe (file missing)

Delete these if found:

C:\WINDOWS\System32\glr.dll
C:\WINDOWS\system32\URIB.DLL
C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\
C:\WINDOWS\System32\scqrig\

Run the Ewido scan again and save the report when it's done.

Restart and post a new HijackThis log along with the Ewido log.

#7
jcdifi26

Posted 02 October 2005 - 05:42 AM

Member

Topic Starter
Member
14 posts

Here's my latest files. I couldn't get rid of the files in the registry. Thanks again for your help.

Logfile of HijackThis v1.99.1
Scan saved at 7:38:55 AM, on 10/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\COLLEEN CURRAN\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\instant messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} (Verizon Broadband Toolbar) - http://www2.verizon....oolbar/vzbb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126230373812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127595346765
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\mgjdbc10.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:36:51 AM, 10/02/2005
+ Report-Checksum: A4AA3CD8

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Error during cleaning
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Error during cleaning
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222187.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP462\A0222189.exe -> Spyware.Maxifiles : Cleaned with backup

::Report End

#8
greyknight17

Posted 02 October 2005 - 07:44 AM

Malware Expert

Visiting Consultant
16,560 posts

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Did you try using another user account to delete those registry entries? If that still doesn't work, then try this:

Download Registrar Lite http://www.resplende...oad/reglite.exe and install it.

Copy and paste the follow text into the address bar and hit Go:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\

Delete this in the right panel:

{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}

Then copy and paste this into the address bar and hit Go:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\

Delete this on the right panel:

IObjSafety.DemoCtl

Again, if any of these give you problems deleting, right click on them and change their permissions/settings to see if you can gain access to them.

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

#9
jcdifi26

Posted 02 October 2005 - 11:01 AM

Member

Topic Starter
Member
14 posts

I got rid of the 2 registry files by logging in as a different user. Here's the L2mfix file. I'm still unable to get to windows update page. I tried to download service pack 2 and install it but it tells me it can't find the specified file needed to install.

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mgjdbc10.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5D9C021C-B607-D7A3-4E7C-074F32248654}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{E4F760B6-6733-404A-A7C7-9CA5051EE9E6}"=""
"{97131B84-9935-4FFD-9A99-99436E849B03}"=""
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{2B8298DD-FCF7-45A0-9E95-E837D616D00D}"=""
"{05B77231-8B18-4BDA-8C77-B7CCD105C705}"=""
"{2A5C05B4-29BA-48DE-89C5-E427FD6F62A3}"=""
"{511D7F8B-3881-4F04-A040-864A15A72D01}"=""
"{ADFDF143-4E0E-4F7D-B290-28409F5350BE}"=""
"{C0BEF66E-F205-4A40-B5F7-8E1A0A71C455}"=""
"{1B707A2D-662A-4AB7-9C39-4C763042DC7D}"=""
"{D6FC26E3-263B-434C-93AE-280F01D20144}"=""
"{97C8584C-7F7F-4A39-91E5-865EFF0C1A3F}"=""
"{8A9F9241-D4DC-40CD-97EF-5584CAD01276}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{97131B84-9935-4FFD-9A99-99436E849B03}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97131B84-9935-4FFD-9A99-99436E849B03}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97131B84-9935-4FFD-9A99-99436E849B03}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97131B84-9935-4FFD-9A99-99436E849B03}\InprocServer32]
@="C:\\WINDOWS\\system32\\ujandlg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2B8298DD-FCF7-45A0-9E95-E837D616D00D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B8298DD-FCF7-45A0-9E95-E837D616D00D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B8298DD-FCF7-45A0-9E95-E837D616D00D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B8298DD-FCF7-45A0-9E95-E837D616D00D}\InprocServer32]
@="C:\\WINDOWS\\system32\\DWSKADP.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8A9F9241-D4DC-40CD-97EF-5584CAD01276}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A9F9241-D4DC-40CD-97EF-5584CAD01276}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A9F9241-D4DC-40CD-97EF-5584CAD01276}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A9F9241-D4DC-40CD-97EF-5584CAD01276}\InprocServer32]
@="C:\\WINDOWS\\system32\\wxspdmod.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is AC52-0949

Directory of C:\WINDOWS\System32

10/02/2005 12:21 PM 417,792 wxspdmod.dll
10/01/2005 10:03 PM 417,792 mgjdbc10.dll
09/29/2005 09:49 PM 417,792 CIFVIEW.DLL
09/29/2005 09:44 PM 417,792 IYETPPUI.DLL
09/29/2005 09:37 PM 417,792 DXSKADP.DLL
09/08/2005 09:47 AM 401,408 w?crtupd.exe
12/02/2003 10:48 PM <DIR> DLLCACHE
11/29/2001 02:09 PM <DIR> Microsoft
6 File(s) 2,490,368 bytes
2 Dir(s) 32,974,753,792 bytes free

Thanks

#10
greyknight17

Posted 03 October 2005 - 02:46 PM

Malware Expert

Visiting Consultant
16,560 posts

OK, let's try getting rid of this problem first to see if it allows you to get the updates afterwards...

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

#11
jcdifi26

Posted 03 October 2005 - 05:26 PM

Member

Topic Starter
Member
14 posts

I ran the l2mfix option #2 and did a reboot twice, but nothing happened after the reboot. There was no file created. Here is the latest Hijackthis file. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:14:00 PM, on 10/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Documents and Settings\COLLEEN CURRAN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netsc...com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\instant messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} (Verizon Broadband Toolbar) - http://www2.verizon....oolbar/vzbb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126230373812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127595346765
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\mgjdbc10.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

#12
greyknight17

Posted 03 October 2005 - 08:36 PM

Malware Expert

Visiting Consultant
16,560 posts

Run the second.bat (or just second) file in your l2mfix folder and see if that gives you a log when it's done.

If not, boot into Safe Mode and run Ewido again. Save the report.

Restart and run L2MFix with Option #1 again. Post that log here and also the Ewido log. Run a new HijackThis scan and post that log too.

#13
jcdifi26

Posted 04 October 2005 - 04:08 AM

Member

Topic Starter
Member
14 posts

Running the "second" file worked the results along with a new hijackthis file are listed below. As a side note. My Easy CD Creator installer keeps popping up. I had this happen before on a computer. Is it some kind of virus? Thanks again.

L2Mfix 1.04a

Running From:
C:\Documents and Settings\COLLEEN CURRAN\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

Setting Directory
C:\Documents and Settings\COLLEEN CURRAN\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\COLLEEN CURRAN\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1880 'explorer.exe'
Killing PID 1880 'explorer.exe'
Killing PID 1880 'explorer.exe'
Killing PID 1880 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1504 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 66%)
adding: echo.reg (164 bytes security) (deflated 11%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: l2mfix.txt (164 bytes security) (deflated 61%)
adding: lo2.txt (164 bytes security) (deflated 74%)
adding: readme.txt (164 bytes security) (deflated 52%)
adding: report.txt (164 bytes security) (deflated 61%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (deflated 46%)
adding: test3.txt (164 bytes security) (deflated 46%)
adding: test5.txt (164 bytes security) (deflated 46%)
adding: backregs/2B8298DD-FCF7-45A0-9E95-E837D616D00D.reg (164 bytes security) (deflated 70%)
adding: backregs/8A9F9241-D4DC-40CD-97EF-5584CAD01276.reg (164 bytes security) (deflated 70%)
adding: backregs/97131B84-9935-4FFD-9A99-99436E849B03.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mgjdbc10.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{E4F760B6-6733-404A-A7C7-9CA5051EE9E6}"=-
"{97131B84-9935-4FFD-9A99-99436E849B03}"=-
"{2B8298DD-FCF7-45A0-9E95-E837D616D00D}"=-
"{05B77231-8B18-4BDA-8C77-B7CCD105C705}"=-
"{2A5C05B4-29BA-48DE-89C5-E427FD6F62A3}"=-
"{511D7F8B-3881-4F04-A040-864A15A72D01}"=-
"{ADFDF143-4E0E-4F7D-B290-28409F5350BE}"=-
"{C0BEF66E-F205-4A40-B5F7-8E1A0A71C455}"=-
"{1B707A2D-662A-4AB7-9C39-4C763042DC7D}"=-
"{D6FC26E3-263B-434C-93AE-280F01D20144}"=-
"{97C8584C-7F7F-4A39-91E5-865EFF0C1A3F}"=-
"{8A9F9241-D4DC-40CD-97EF-5584CAD01276}"=-
[-HKEY_CLASSES_ROOT\CLSID\{E4F760B6-6733-404A-A7C7-9CA5051EE9E6}]
[-HKEY_CLASSES_ROOT\CLSID\{97131B84-9935-4FFD-9A99-99436E849B03}]
[-HKEY_CLASSES_ROOT\CLSID\{2B8298DD-FCF7-45A0-9E95-E837D616D00D}]
[-HKEY_CLASSES_ROOT\CLSID\{05B77231-8B18-4BDA-8C77-B7CCD105C705}]
[-HKEY_CLASSES_ROOT\CLSID\{2A5C05B4-29BA-48DE-89C5-E427FD6F62A3}]
[-HKEY_CLASSES_ROOT\CLSID\{511D7F8B-3881-4F04-A040-864A15A72D01}]
[-HKEY_CLASSES_ROOT\CLSID\{ADFDF143-4E0E-4F7D-B290-28409F5350BE}]
[-HKEY_CLASSES_ROOT\CLSID\{C0BEF66E-F205-4A40-B5F7-8E1A0A71C455}]
[-HKEY_CLASSES_ROOT\CLSID\{1B707A2D-662A-4AB7-9C39-4C763042DC7D}]
[-HKEY_CLASSES_ROOT\CLSID\{D6FC26E3-263B-434C-93AE-280F01D20144}]
[-HKEY_CLASSES_ROOT\CLSID\{97C8584C-7F7F-4A39-91E5-865EFF0C1A3F}]
[-HKEY_CLASSES_ROOT\CLSID\{8A9F9241-D4DC-40CD-97EF-5584CAD01276}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 6:01:46 AM, on 10/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\ImapiRox.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Documents and Settings\COLLEEN CURRAN\Desktop\HijackThis.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\WINDOWS\System32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\instant messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} (Verizon Broadband Toolbar) - http://www2.verizon....oolbar/vzbb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126230373812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127595346765
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\mgjdbc10.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

#14
greyknight17

Posted 04 October 2005 - 08:11 AM

Malware Expert

Visiting Consultant
16,560 posts

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\mgjdbc10.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\mgjdbc10.dll

Restart and boot into Safe Mode to run another Ewido scan. Save the report. Restart and run a new HijackThis scan. Save the log file and post it here along with the Ewido log.

#15
jcdifi26

Posted 04 October 2005 - 06:25 PM

Member

Topic Starter
Member
14 posts

Here's the files. I could not delete the mgjdbc10.dll file. I tried doing it under several logons and in safe mode but it wouldn't let me. I'm very appreciative of what you're doing, however am I even close to being able to update windows?

Logfile of HijackThis v1.99.1
Scan saved at 8:22:33 PM, on 10/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Documents and Settings\COLLEEN CURRAN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netsc...com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\instant messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} (Verizon Broadband Toolbar) - http://www2.verizon....oolbar/vzbb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126230373812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127595346765
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\mgjdbc10.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:10:07 PM, 10/04/2005
+ Report-Checksum: F612592E

+ Scan result:

C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen curran@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen curran@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen curran@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Cookies\colleen [email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\841DB176-A3F1-4BA0-BA94-9049E8\08C5A6D8-20DB-4BDE-B052-ABEC2E -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temp\jfghjfgudk.exe -> TrojanDownloader.IstBar.lq : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temporary Internet Files\Content.IE5\4H0JELYH\istdownload[2].exe -> TrojanDownloader.IstBar.lq : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temporary Internet Files\Content.IE5\KLMXWXG1\SRInstall4110[1].cab/BundleLite.exe -> Adware.Saha : Cleaned with backup
C:\Documents and Settings\COLLEEN CURRAN\Local Settings\Temporary Internet Files\Content.IE5\UBGBA76L\trk_0026[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\GABBY CURRAN\Cookies\gabby curran@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\GABBY CURRAN\Cookies\gabby [email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\GABBY CURRAN\Cookies\gabby curran@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\GABBY CURRAN\Cookies\gabby [email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\GABBY CURRAN\Cookies\gabby curran@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\GABBY CURRAN\Cookies\gabby [email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\GABBY CURRAN\Cookies\gabby [email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\GABBY CURRAN\Cookies\gabby curran@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\GABBY CURRAN\Cookies\gabby [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe -> Spyware.Pacer : Cleaned with backup
C:\RECYCLER\S-1-5-21-1850456698-2437969446-162025716-1007\Dc16.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1\A0001010.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\SYSTEM32\sav2.exe -> TrojanDownloader.Agent.vp : Cleaned with backup

::Report End