Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

pokapoka and yupsearch [RESOLVED]

Started by anhishere , Oct 09 2005 10:45 PM

  • This topic is locked This topic is locked

#1
anhishere
Posted 09 October 2005 - 10:45 PM

anhishere

    Member

  • Member
  • PipPip
  • 15 posts
Hi, you've had a few similar posts to this one about someone's friend sending a file over AIM and then the foolish friend naively opening the file... well that's what happened to me. :tazz: I opened some file and then lockx.exe and pokapoka70.exe started appearing on my computer along with some yupsearch.com toolbar with all the info located in C:\WINDOWS\etb

I have manually been able to get rid of lockx.exe, but I'm not entirely sure about the yupsearch.com bar and the pokapoka thing which has managed to mutate into pokapoka72.exe, 73, 74 and most recently, 75. I think I've tried manually getting rid of them and using the recommended programs (a-squared, adaware, spybot, ewido, trend micro, etc.) Most of them worked, ewido and trend micro froze... Anywho, even though they're not physically there, my computer has been kind of slow lately (at least it works now). Please check my HijackThis log!!

Logfile of HijackThis v1.99.1
Scan saved at 12:32:30 AM, on 10/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\pmkji.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [explorez] smsc.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\RunServices: [explorez] smsc.exe
O4 - HKCU\..\Run: [explorez] smsc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\NetZero\qsacc\x1exec.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D2F6C2C-C514-4777-B022-6175E3162076}: NameServer = 64.136.20.121 64.136.28.121
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkji - C:\WINDOWS\System32\pmkji.dll
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
  • 0

Advertisements

#2
greyknight17
Posted 10 October 2005 - 10:40 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download LQFix http://users.telenet...tools/LQfix.exe and run it. Click on Next->Next->Install. Click Finish to launch LQfix. Follow the screen prompts. Your system will reboot afterwards. Please wait for the script to finish in the background at this time...

Please download VundoFix.exe at http://www.atribune....ds/VundoFix.exe to your desktop.

* Double-click VundoFix.exe to extract the files.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key (or F5 in some machines) until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* Please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\pmkji.dll

* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* When asked for a second path, enter -> C:\WINDOWS\System32\ijkmp.*
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* The fix will run then HijackThis will open.
* In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\pmkji.dll
O4 - HKLM\..\Run: [explorez] smsc.exe
O4 - HKLM\..\RunServices: [explorez] smsc.exe
O4 - HKCU\..\Run: [explorez] smsc.exe
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O20 - Winlogon Notify: pmkji - C:\WINDOWS\System32\pmkji.dll

Delete this file if found -> smsc.exe

* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a 'Blue Screen of Death' this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.

Download and install CleanUp! http://www.greyknigh...spy/CleanUp.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click 'Options...'
Move the arrow down to 'Custom CleanUp!'
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK. Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.

Then, please run an online virus scan at ActiveScan http://www.pandasoft.../activescan.htm

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
anhishere
Posted 10 October 2005 - 10:47 PM

anhishere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi, thanks for the help and fast reply. I follwed your directions, and here are the VundoFix, HijackThis, and ActiveScan logs:

VundoFix

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 128 'smss.exe'
Threads [132][136][140]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 696 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 204 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.


HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 12:43:28 AM, on 10/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\NetZero\qsacc\x1exec.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D2F6C2C-C514-4777-B022-6175E3162076}: NameServer = 64.136.28.120 64.136.20.120
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe


ActiveScan


Incident Status Location

Spyware:spyware/localnrd No disinfected C:\WINDOWS\INF\localNrd.inf
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\polall1r.inf
Adware:adware/blazefind No disinfected C:\WINDOWS\Key2.txt
Dialer:dialer.bb No disinfected C:\WINDOWS\questmod.dll
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\toolbar.exe
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Adware:adware/elitebar No disinfected C:\Documents and Settings\Anh Ha\Favorites\Casino & Carrers
Adware:adware/gator No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Anh Ha\Application Data\hgv?e.exe
Adware:Adware/CWS No disinfected C:\Documents and Settings\Anh Ha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-6e466981.class
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Anh Ha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f00108-67c48d7c.zip[InstallerApplet.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Anh Ha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv15.jar-cdc1c56-2a31a012.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Anh Ha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv15.jar-cdc1c56-2a31a012.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Anh Ha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv15.jar-cdc1c56-2a31a012.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Anh Ha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv15.jar-cdc1c56-2a31a012.zip[Parser.class]
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0030361.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0030363.dll
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0030372.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0030392.dll
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0031387.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0031393.dll
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0031394.bat
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0031399.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0031421.dll
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0032417.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0032422.dll
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0032428.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0032435.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0032436.dll
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0032452.bat
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0032466.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0032498.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0032504.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0032507.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0032521.dll
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0032524.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0032527.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP585\A0032563.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP585\A0032575.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0032583.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0032585.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0032586.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0032623.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0032632.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0032633.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0032655.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0032672.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP588\A0032742.exe
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP588\A0032744.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP593\A0032965.exe
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP593\A0032968.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP593\A0032983.exe
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP593\A0032985.exe
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP599\A0033060.dll
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP602\A0047629.exe
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP602\A0047630.exe
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP602\A0047634.dll
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\localNrd.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\polall1r.inf
Adware:Adware/WinTools No disinfected C:\WINDOWS\Key2.txt
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\KS.EXE
Adware:Adware/Imibar No disinfected C:\WINDOWS\systb.exe
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\SYSTEM32\cmd.ftp
Virus:W32/Sdbot.FEN.worm Disinfected C:\WINDOWS\SYSTEM32\lockx.exe
Virus:Worm Generic.GA Disinfected C:\WINDOWS\SYSTEM32\ntconfig.exe
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\SYSTEM32\sstqo.dll
Virus:W32/Gaobot.XA.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP2744
Virus:W32/Gaobot.XA.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP3336
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\?ttrib.exe
Virus:Trj/Downloader.RW Disinfected C:\WINDOWS\toolbar.exe
  • 0

#4
greyknight17
Posted 11 October 2005 - 07:07 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Check and fix this in HijackThis:

O15 - Trusted IP range: 213.159.117.133 (HKLM)

Do a search for ?ttrib.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

c:\documents and settings\anh ha\application data\hgv?e.exe
c:\documents and settings\anh ha\favorites\casino & carrers\
c:\program files\common files\inetget\
c:\program files\common files\inetget2\
c:\windows\inf\localnrd.inf
c:\windows\inf\polall1r.inf
c:\windows\key2.txt
c:\windows\ks.exe
c:\windows\questmod.dll
c:\windows\systb.exe
c:\windows\system32\oqtss.*
c:\windows\system32\sstqo.dll
c:\windows\toolbar.exe

If you get a PendingOperations message, just close it and restart your computer manually.

Restart and make sure you can't find these files/folders anymore (if found, just delete them):

c:\documents and settings\anh ha\application data\hgv?e.exe
c:\documents and settings\anh ha\favorites\casino & carrers\
c:\program files\common files\inetget\
c:\program files\common files\inetget2\
c:\windows\inf\localnrd.inf
c:\windows\inf\polall1r.inf
c:\windows\key2.txt
c:\windows\ks.exe
c:\windows\questmod.dll
c:\windows\systb.exe
c:\windows\system32\oqtss.*
c:\windows\system32\sstqo.dll
c:\windows\toolbar.exe

Restart and run a new Panda scan. Post that log here along with a new HijackThis log.
  • 0

#5
anhishere
Posted 12 October 2005 - 07:25 PM

anhishere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 9:20:00 PM, on 10/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride =

64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;

*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinne

r.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.c

om;*.networkassociates.com;<local>
R3 - URLSearchHook: URLSearchHook Class -

{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program

Files\NZSearch\SearchEnh1.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} -

C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program

Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media

Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"

/checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [LMPDPSRV]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe

"C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader

5.0 Sprint\CAgent.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe"

/startup
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program

Files\NetZero\qsacc\x1exec.exe"
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program

Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality -

res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality -

res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file

missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no

file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoft...free/asinst.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4D2F6C2C-C514-4777-B022-6175E3162076}:

NameServer = 64.136.20.121 64.136.28.121
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks

Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. -

C:\WINDOWS\System32\npkcsvc.exe


Pandascan


Incident Status Location

Adware:adware/ipinsight No disinfected C:\WINDOWS\alchem.ini
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Adware:adware/elitebar No disinfected C:\Documents and Settings\Anh Ha\Favorites\Casino & Carrers
Adware:adware/blazefind No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Anh Ha\Application Data\hgv?e.exe
Adware:Adware/CWS No disinfected C:\Documents and Settings\Anh Ha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-6e466981.class
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Anh Ha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f00108-67c48d7c.zip[InstallerApplet.class]
Spyware:Spyware/LocalNRD No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000015.inf
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000016.inf
Adware:Adware/MediaTickets No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000017.EXE
Adware:Adware/Imibar No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000019.exe
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000020.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\?ttrib.exe
  • 0

#6
greyknight17
Posted 12 October 2005 - 09:46 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please make sure that Word Wrap is turned OFF in Notepad before you post your HijackThis log next time. As you can see, the formatting it creates (see the log you posted) makes it harder for us to read it.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

Delete these if found:

C:\WINDOWS\alchem.ini
C:\PROGRAM FILES\COMMON FILES\InetGet
C:\PROGRAM FILES\COMMON FILES\InetGet2
C:\Documents and Settings\Anh Ha\Favorites\Casino & Carrers
C:\Documents and Settings\Anh Ha\Application Data\hgv?e.exe

Do a search for ?ttrib.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Restart and run a new Panda scan. Post that log here.
  • 0

#7
anhishere
Posted 13 October 2005 - 08:08 PM

anhishere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sorry about the Notepad thing... blame my sister :tazz:

Here's the PandaScan:


Incident Status Location

Adware:adware/elitebar No disinfected C:\Documents and Settings\Anh Ha\Favorites\Finances & Business
Adware:adware/blazefind No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Anh Ha\Application Data\hgv?e.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\?ttrib.exe
  • 0

#8
greyknight17
Posted 13 October 2005 - 08:18 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
This is not good. I want you to check Ewido for any updates.
If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Boot into Safe Mode.

Now open Ewido and do a scan on your system.

* Click on scanner.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'.
* Save the report to your desktop.

Restart and run a new Panda scan. Post that log here along with the Ewido log and a new HijackThis log (no word wrap please :tazz:).
  • 0

#9
anhishere
Posted 16 October 2005 - 04:43 PM

anhishere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sorry it took so long to reply. I've been quite busy.

Here's Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:13:20 AM, 10/15/2005
+ Report-Checksum: 3BD8ED15

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{18E6C36A-C45F-4B60-A1A4-5C0BB16D4CC2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{18E6C36A-C45F-4B60-A1A4-5C0BB16D4CC2}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
C:\Documents and Settings\Anh Ha\Application Data\hgvвe.exe -> TrojanDownloader.Agent.df : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Gator : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\e0v7dj6p.Anh\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Anh Ha\Application Data\Mozilla\Firefox\Profiles\z49ww722.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Anh Ha\Cookies\anh ha@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\WINDOWS\SYSTEM32\scrgrd.exe -> Backdoor.Rbot.15 : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP1384 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP2588 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP3376 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP3680 -> Backdoor.Rbot.15 : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP3820 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP3952 -> Backdoor.Rbot.15 : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP4664 -> Backdoor.Rbot.15 : Cleaned with backup


::Report End


Panda ActiveScan



Incident Status Location

Adware:adware/elitebar No disinfected C:\Documents and Settings\Anh Ha\Favorites\Finances & Business
Adware:adware/blazefind No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000072.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\?ttrib.exe
  • 0

#10
greyknight17
Posted 16 October 2005 - 05:43 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where is the new HijackThis log (without the word wrap)?

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Delete this folder:

C:\Documents and Settings\Anh Ha\Favorites\Finances & Business

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Do a search for ?ttrib.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.
  • 0

#11
anhishere
Posted 17 October 2005 - 10:23 PM

anhishere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I am so inept, it's scary.... here's the new HijackThis log and a Pandascan thing just in case:

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 11:04:15 PM, on 10/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe


PandaScan


Incident Status Location

Adware:adware/elitebar No disinfected C:\Documents and Settings\Anh Ha\Favorites\Health & Insurance
Adware:adware/blazefind No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\?ttrib.exe
  • 0

#12
greyknight17
Posted 18 October 2005 - 03:36 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you do the steps I just gave you in Post #10? That should do it once you did that...

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#13
anhishere
Posted 18 October 2005 - 08:09 PM

anhishere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Wahoo! Yeah I followed those steps in post #10. Thanks for all the help ^____________________^

My computer's running fine now.
  • 0

#14
anhishere
Posted 18 October 2005 - 08:10 PM

anhishere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Wahoo! Yeah I followed those steps in post #10. Thanks for all the help ^____________________^

My computer's running fine now.
  • 0

#15
greyknight17
Posted 18 October 2005 - 10:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP