Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

hijack log(winfixer and other naughties) [RESOLVED]

Started by relmore , Nov 13 2005 01:59 PM

  • This topic is locked This topic is locked

#1
relmore
Posted 13 November 2005 - 01:59 PM

relmore

    Member

  • Member
  • PipPip
  • 59 posts
Edit: updated logs. I think i was able to remove Winfixer by reviewing other posts. I know i've got many other problems as my logs show the following.


Incident Status Location

Adware:adware/statblaster No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Adware:adware/ezula No disinfected C:\WINDOWS\woinstall.exe
Adware:adware/esyndicate No disinfected Windows Registry
Adware:Adware/BrilliantDigitalNo disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP926\A0087089.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP963\A0094118.exe
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\mllmk.dll
Logfile of HijackThis v1.99.1
Scan saved at 1:28:01 PM, on 11/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [rlKrFKB] C:\documents and settings\russ\local settings\temp\rlKrFKB.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [zYFJ6] C:\windows\system32\zYFJ6.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131919940921
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37390.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\windows\system32\ssttt.dll

The second filepath entered was c:\windows\system32\tttss.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 156 'smss.exe'

Killing PID 724 'explorer.exe'


Killing PID 228 'winlogon.exe'
--------------------------------------------------------------------------------------

c:\windows\system32\ssttt.dll Deleted sucessfully.
c:\windows\system32\tttss.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------




While i've got ya reading also
i notice im running slower after installing the following:
WinPatrol
Microsoft anti-spyware
ZoneAlarm firewall
spywareblaster
iespy-ad
Ewido


is this overkill? or keep them all going?

Last thing and i post this here because i was told in the other forum that its malware related

i keep getting this error when i try to run the sp1a update

[Error number: 0x8DDD0007]
You need to restart your computer to finish installing a program or updates. You cannot view or get other updates from the site until you restart.
Read more about steps you can take to resolve this problem yourself.

Thanks, you guys rock

Edited by relmore, 16 November 2005 - 02:36 PM.

  • 0

Advertisements

#2
relmore
Posted 13 November 2005 - 02:15 PM

relmore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Edit: ok i am learning slowly. i should not have replied to my post. sorry about that

Edited by relmore, 14 November 2005 - 10:53 PM.

  • 0

#3
andydf
Posted 16 November 2005 - 03:22 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi relmore
Welcome to Geeks to go

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download and install CleanUp!
Close Cleanup we will run it later

Next we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Click This link for further help.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O4 - HKLM\..\Run: [rlKrFKB] C:\documents and settings\russ\local settings\temp\rlKrFKB.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [zYFJ6] C:\windows\system32\zYFJ6.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please delete these files using Windows Explorer(if present):
Use windows search facility if you have trouble finding these files.

C:\WINDOWS\System32\dp-him.exe
C:\windows\system32\zYFJ6.exe

After that, Reboot.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, if it does go ahead and reboot.

Then, please run this online virus scan: ActiveScan

If you would please, rescan with HijackThis and post a fresh log along with the active scan log in this same topic, and let us know how your system's working. :)

As for your application question.

WinPatrol (keep)
Microsoft anti-spyware (this is a beta release, down to personal choice)
ZoneAlarm firewall (keep)
spywareblaster (keep and update regulary, does not use system resources.)
iespy-ad (keep and update regulary, does not use system resources.)
Ewido (your choice but you will need to pay for it after the trial period has expired)

Andy :tazz:
  • 0

#4
relmore
Posted 16 November 2005 - 04:24 PM

relmore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Hi andydf and thanks for your help. system is running decently. I had already obtained and run cleanup! several times but did so again just as your directions instructed. Here are the new logs updated at 3:00 pm nov. 17th:



Incident Status Location

Adware:adware/statblaster No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Adware:adware/ezula No disinfected C:\WINDOWS\woinstall.exe
Adware:adware/esyndicate No disinfected Windows Registry
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\mllmk.dll
Logfile of HijackThis v1.99.1
Scan saved at 3:02:55 PM, on 11/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131919940921
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37390.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Edited by relmore, 17 November 2005 - 03:03 PM.

  • 0

#5
andydf
Posted 17 November 2005 - 03:20 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi relmore

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
C:\WINDOWS\woinstall.exe
C:\WINDOWS\Downloaded Program Files\WildApp.inf
C:\WINDOWS\SYSTEM32\mllmk.dll

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

After reboot, post a new HiJackThis log here.

It will be better to update to SP2, but only after your pc is clean. Have a look at the post below, it may help you with the problem.

http://www.geekstogo...ndpost&p=247640

Andy :tazz:
  • 0

#6
relmore
Posted 17 November 2005 - 03:58 PM

relmore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
when i click the red and white button its says:
No file
There is no path to file in the destination box, you must list the file or use the Dummy. shall i click use the dummy?
  • 0

#7
andydf
Posted 17 November 2005 - 04:13 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi relmore

follow the instructions again, but put the files below into kilbox. If killbox cannot find the first file in the list it will not work.

C:\WINDOWS\woinstall.exe
C:\WINDOWS\SYSTEM32\mllmk.dll

After the reboot, look for and delete the following file.

C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf

Andy :tazz:
  • 0

#8
relmore
Posted 17 November 2005 - 04:41 PM

relmore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
ok using killbox I removed the first 2 andsucessfully rebooted. after reboot I ran a search and looked with explorer for the wildapp file but could not locate it. I ran killbox and entered the wildapp location and deleted it and rebooted. Here is the new log. also I do have a new problem. I keep getting in my I.E. browser: page cannot be displayed--like i've lost connection. This only happens with the zonelabs firewall running and clears right up when i shut it down. Any suggestions? I tried reinstalling which worked temporarily but now it is doing it again.

looks like i have a few thiings still. thanks



Incident Status Location

Adware:adware/esyndicate No disinfected Windows Registry
Adware:Adware Program No disinfected C:\!KillBox\WildApp.inf
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\mllmk.dll



Logfile of HijackThis v1.99.1
Scan saved at 4:30:13 PM, on 11/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\ewido\security suite\ewidoguard.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131919940921
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37390.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Edited by relmore, 17 November 2005 - 05:35 PM.

  • 0

#9
andydf
Posted 18 November 2005 - 03:05 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi relmore

Please ensure Ewido is fully updated.

Once the updates are installed do the following:
  • boot into safe mode. Restart your computer. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear select the first option, to run Windows in Safe Mode.
  • Open Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin. Do not open any windows/programs for the duration of the scan.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Please post the Ewido report and a new HJT log in your reply.

Andy :tazz:
  • 0

#10
relmore
Posted 18 November 2005 - 04:16 PM

relmore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:07:57 PM, 11/18/2005
+ Report-Checksum: D79A9F3

+ Scan result:

C:\Documents and Settings\RUSS\Local Settings\Temporary Internet Files\Content.IE5\GTE7SLYZ\mm[2].js -> Spyware.Chitika : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 4:10:48 PM, on 11/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131919940921
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37390.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Hi andy,
Thanks again for helping. Everything is running pretty smooth at the moment. I'd like to upgrade to sp2 as soon as possible but i probably have something lurking around still.
i am about to run another panda activescan to see what it comes up with and post it as soon as she's done scanning.


Incident Status Location

Adware:adware/esyndicate No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mllmk.dll
Adware:Adware Program No disinfected C:\!KillBox\WildApp.inf
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP968\A0097030.dll

Edited by relmore, 18 November 2005 - 04:45 PM.

  • 0

Advertisements

#11
andydf
Posted 19 November 2005 - 03:47 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi relmore

Ok, your log looks clean, however the active scan shows one item left

Adware:adware/esyndicate No disinfected Windows Registry

The others are in your system restore folder (which we will sort later) and in the kilbox backup folder, they are not active :)

I would like to run another automated scan to get rid of it.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also give active scan another run and lets see what happens.

Andy :tazz:
  • 0

#12
relmore
Posted 20 November 2005 - 02:13 AM

relmore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
********
12:44 AM: | Start of Session, Sunday, November 20, 2005 |
12:44 AM: Spy Sweeper started
12:44 AM: Sweep initiated using definitions version 575
12:44 AM: Starting Memory Sweep
12:46 AM: Memory Sweep Complete, Elapsed Time: 00:01:47
12:46 AM: Starting Registry Sweep
12:46 AM: Found Adware: minigolf
12:46 AM: HKLM\software\minigolf\ (ID = 135062)
12:46 AM: Found Adware: websearch toolbar
12:46 AM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
12:46 AM: Found Adware: wildmedia
12:46 AM: HKCR\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 146695)
12:46 AM: HKLM\software\classes\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 146709)
12:46 AM: HKLM\software\microsoft\windows\currentversion\uninstall\wbcm\ (4 subtraces) (ID = 146959)
12:46 AM: Found Adware: superbar
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\ (80 subtraces) (ID = 143242)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\ || client update (ID = 143243)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\ || force update (ID = 143244)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ (66 subtraces) (ID = 143247)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || 7search (ID = 143248)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || ah-ha (ID = 143249)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || alexa (ID = 143250)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || aol.co.uk (ID = 143251)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || askjeeves.co.uk (ID = 143252)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || askjeeves.com (ID = 143253)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || dogpile (ID = 143254)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || espotting (ID = 143255)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || fireball (ID = 143256)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || freenet (ID = 143257)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || goclick (ID = 143258)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || google.ch (ID = 143259)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || google.co.uk (ID = 143260)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || google.de (ID = 143261)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || google.fr (ID = 143262)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || google.it (ID = 143263)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || google (ID = 143264)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || greasycow (ID = 143265)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || hotbot (ID = 143266)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || infospace (ID = 143267)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || iwon (ID = 143268)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || kanoodle (ID = 143269)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || libero (ID = 143270)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || lookseek (ID = 143271)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || looksmart.co.uk (ID = 143272)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || looksmart (ID = 143273)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || lycos.co.uk (ID = 143274)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || lycos.de (ID = 143275)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || lycos.es (ID = 143276)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || lycos.fr (ID = 143277)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || lycos.it (ID = 143278)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || lycos (ID = 143279)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || msn.ch (ID = 143280)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || msn.co.uk (ID = 143281)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || msn.de (ID = 143282)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || msn.es (ID = 143283)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || msn.fr (ID = 143284)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || msn.it (ID = 143285)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || msn.se (ID = 143286)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || msn (ID = 143287)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || passagen (ID = 143288)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || search.ch (ID = 143289)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || search123 (ID = 143290)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || search (ID = 143291)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || spray (ID = 143292)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || supereva (ID = 143293)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || t-online (ID = 143294)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || tiscali (ID = 143295)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || virgilio (ID = 143296)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || voila (ID = 143297)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || web (ID = 143298)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || xuppa (ID = 143299)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || yahoo.co.uk (ID = 143300)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || yahoo.de (ID = 143301)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || yahoo.es (ID = 143302)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || yahoo.fr (ID = 143303)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || yahoo.it (ID = 143304)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || yahoo.se (ID = 143305)
12:46 AM: HKU\WRSS_Profile_S-1-5-21-3662261806-963669371-3522591783-501\software\superbar\engines\ || yahoo (ID = 143306)
12:46 AM: Found Adware: esyndicate bho
12:46 AM: HKU\S-1-5-21-3662261806-963669371-3522591783-1006\software\esyn\ (6 subtraces) (ID = 125844)
12:47 AM: Registry Sweep Complete, Elapsed Time:00:00:21
12:47 AM: Starting Cookie Sweep
12:47 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:47 AM: Starting File Sweep
12:47 AM: Found Adware: limeshop
12:47 AM: c:\program files\limeshop (25 subtraces) (ID = -2147480733)
12:47 AM: Found Adware: ebates money maker
12:47 AM: browsers.dls (ID = 59483)
12:54 AM: limeshop_readme.txt (ID = 65532)
1:00 AM: wildapp.inf (ID = 69911)
1:01 AM: File Sweep Complete, Elapsed Time: 00:14:34
1:01 AM: Full Sweep has completed. Elapsed time 00:16:47
1:01 AM: Traces Found: 278
1:20 AM: Removal process initiated
1:20 AM: Quarantining All Traces: websearch toolbar
1:20 AM: Quarantining All Traces: wildmedia
1:20 AM: Quarantining All Traces: ebates money maker
1:20 AM: Quarantining All Traces: esyndicate bho
1:20 AM: Quarantining All Traces: limeshop
1:20 AM: Quarantining All Traces: minigolf
1:20 AM: Quarantining All Traces: superbar
1:21 AM: Removal process completed. Elapsed time 00:00:21
********
12:43 AM: | Start of Session, Sunday, November 20, 2005 |
12:43 AM: Spy Sweeper started
12:44 AM: Your spyware definitions have been updated.
12:44 AM: | End of Session, Sunday, November 20, 2005 |


Activescan results
Incident Status Location

Adware:adware/savenow No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\!KillBox\mllmk.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP968\A0097030.dll
Adware:Adware Program No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP970\A0097228.inf

thanks for your continuing :tazz:
  • 0

#13
andydf
Posted 20 November 2005 - 06:44 AM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi relmore

Looks like Spysweeper got rid of a few more things as well :)

Please do the following
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Andy :tazz:
  • 0

#14
relmore
Posted 20 November 2005 - 12:16 PM

relmore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
yessir it did :tazz: why is panda still picking up on a virtumonde malicious file?

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Alarm Clock v1.0
AOL Instant Messenger
Broadcom Advanced Control Suite
Classic PhoneTools
CleanUp!
Conexant HSF V92 56K Data Fax PCI Modem
Dell Digital Jukebox Driver
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Digital Line Detect
DivX Codec
Easy CD Creator 5 Basic
ewido security suite
HijackThis 1.99.1
Internet Explorer Q831167
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java 2 Runtime Environment, SE v1.4.2_05
Lavasoft VX2 Cleaner
LimeWire 4.9.30
Macromedia Flash Player 8
Microsoft AntiSpyware
Modem Helper
MUSICMATCH® Jukebox
Paint Shop Pro 7
Panda ActiveScan
Pop-Up Stopper Free Edition
QuickTime
RealPlayer
Shockwave
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q819696
WinPatrol
WordPerfect Office 2002
WordPerfect Office 2002
ZoneAlarm
  • 0

#15
andydf
Posted 20 November 2005 - 01:06 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi relmore

Unfortunately the entry I was hoping to see wasn't there.

To anwer your question, active scan is picking up virtumonde in the system restore folder, it is not active unless you use the system restore feature. We will clear this out, but it is best to leave a restore point in case something goes wrong. however we can reduce the folder size so any further active scans are a little quicker. It is also picking it up in the Killbox folder, again it is not active and is safe to delete the file from the folder.
C:\!KillBox\mllmk.dll <-- delete this file

Next
Step #1 - Create a New Restore Point

Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.

Step #2 - Flush All Previous Points

Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Click cleanup
Make sure spysweeper is fully updated.

Next reboot into safe mode
Open spysweeper and run the scan
Do not open any other windows/programs for the duration of the scan

Please run the active scan again and post back with the spysweeper and active scan log, also a new HJT log.

Andy :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP