[MatrixEquilibrium]

File/Folder C:\2.tmp/data0002 not found.
C:\2.tmp moved successfully.
File/Folder C:\3.tmp/stream/data0003 not found.
File/Folder C:\3.tmp/stream not found.
C:\3.tmp moved successfully.

Created on 09/12/2007 03:12:32



Logfile of HijackThis v1.99.1
Scan saved at 3:14:38 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\OTMoveIt.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://subhanallah.s...ad/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay11...ex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

[Advertisements]

Hey Matrix,
Still getting any warnings?

Harry

[harrythook]

Hey Matrix,
Still getting any warnings?

Harry

[MatrixEquilibrium]

I'm not sure what you mean by warnings...

But I'm still getting zedo popups and I've tried so many other scanners!

Was that c:/temp anything important? What was it exactly? And how is the zedo spyware hiding evading detection?

-Matrix


PS: Did you check the Kaspersky log? Anything relevant?

[harrythook]

I'm not sure what you mean by warnings...

But I'm still getting zedo popups

Thats the warning/pop-up I asked about.

Was that c:/temp anything important?

Thats an indication of PurityScan, we will deal with that in a bit.

Did you check the Kaspersky log? Anything relevant?

See above, we tried to remove what Kas showed.

Do this in the following order, you may want to print this out for reference.

1) Remove and re-install combofix.

• Go to add/remove programs, and uninstall Combofix
• follow these instructions:

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

2) Run ATF:
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3) Clear restore points:
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
(do not enable restore point yet)

At this point, please capture a screenshot of the pop-ups that you are receiving (Zedo) and post it so I can see exactly what we are dealing with.
Follow the instructions in order, and please confirm that everything runs correctly. Post logs that are produced, along with any other information that is generated.

Harry

[harrythook]

Hey Matrix,
I am working on a solution to this.
Read ZEDO OPTOUT. this is interesting.
I would not choose the option of the "opt-out" cookie, lets continue on the path of preventing this popup all together.

Harry

[MatrixEquilibrium]

Hi Harry,

Sorry - I've been gone for two days.

Anyway, I read what you sent about the OPT OUT - that might be even worse than trying to get rid of it manually. An adware site asking me if I want to opt out - click here! ? lol

I attached the log that ComboFix made.

Attached Files

•  log.txt   12.02KB   187 downloads

[MatrixEquilibrium]

I attached two images.

Usually the pop-up is the same; this time it was random. I went to imageshack and everytime I uploaded an image, it took me to the upload.image link for it, and everything was fine, until I click on my uploaded image, it would open and a new window would open as well, zedo.

The word zedo minimized would redirect the link to the site. In one case it was a car site, the other something called sandybox.

I attached jpeg screen-shots.

Should I turn system restore back on?

Attached Thumbnails

• 
• 

[harrythook]

Hey Matrix,
lets take a look at something else, you should still have regsearch on your desktop.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
core.sys
core.cache.dsk

[Exclude]

[Options]
Filter=KVDLUI

Run regsearch as instructed in post #25, lets see the results

Harry

[MatrixEquilibrium]

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 9/17/2007 7:09:38 PM for strings:
; 'core.sys'
; 'core.cache.dsk'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

[MatrixEquilibrium]

And 'yes' to the PM you sent.

I'm just wondering why it wasn't posted here? lol
ah..nvm

[harrythook]

Hey Matrix, sorry for delays

I'm just wondering why it wasn't posted here? lol

The original PM I drafted had my private email addy, I don't post that

Here we go:
Copy the contents of the cod box below, then open notepad. Paste to notepad and save to your desktop as zedo.bat (be sure to save it as file type all).

regedit /a peek1.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"
type peek1.txt >> har.txt
del peek*.txt
start notepad har.txt

Close notepad and locate the zedo.bat icon on your desktop. Double click it and it should produce a report in a new notepad window. Zip the results and post it, it will be a large amount of info.

Give me a bit to read the results,

Harry

[MatrixEquilibrium]

Yeah, the results are huge.

Interesting..

Attached Files

•  har.zip   69.29KB   586 downloads

Edited by MatrixEquilibrium, 21 September 2007 - 12:15 AM.

[harrythook]

Hey Matrix,

Yeah, the results are huge.

Yes it is large, but it gives me an idea of the starting point for problems.

I am looking it over, give me a bit of time and hopefully I will find this rascal

Harry

[MatrixEquilibrium]

You still alive Harry?

;-)

[harrythook]

You still alive Harry?

Yep, and reading through 200 or so pages of info. . . .

And I am still researching, working on it.