Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

gotty182

37 Posts

969

July 9th, 2006 01:00

MAJOR PopUp problem- Trojan Downloader, Network Monitor, VX2, etc...HijackThis log file posted.HELP!

Hi,
my computer has terrible pop ups. here are a few things spyware doctor found:
 
network monitor commmand (webroot)
trojan.downloader
vx2Look2Me
Dollar Revenue
SP2Update
About:Blank
Worm.WGAVII
Apropus Media
..there's more i believe
here is the HijackThis logfile.....hope i did it correctly, thanks so much for you help!
 
Logfile of HijackThis v1.99.1
Scan saved at 9:35:34 PM, on 7/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\1137622810\ee\AOLSoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\lvbqsyjA.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wmapsrvs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137622810\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [lvbqsyjA] C:\WINDOWS\lvbqsyjA.exe
O4 - HKLM\..\Run: [zrx8553c] RUNDLL32.EXE w0030592.dll,n 0018553b000000030030592
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105896564306
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: Media Center - C:\WINDOWS\system32\d40mled11h0.dll (file missing)
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\FISTIFF.DLL
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\FOSAPI.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmapsrvs.exe
 

agrarianmonk

71 Posts

July 10th, 2006 01:00

Welcome !! Please take note of the following while we are working together:
  • Your fix may take a couple posts so please be patient even if you don't see immediate results.
  • I will working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's definitely better to be sure and safe than sorry.

***************************************

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Open HijackThis, click Config, click Misc Tools
Click " Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.



In your next post, please include
  • new hijackthis log
  • combofix log
  • uninstall list

*use separate posts to ensure the logs don't get cut off!

gotty182

37 Posts

July 11th, 2006 03:00

here is the info you asked for....uninstall list log:

 

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
ALPS Touch Pad Driver
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
Ares 1.8.1
ATI Control Panel
ATI Display Driver
Broadcom Advanced Control Suite
Cisco Systems VPN Client 4.6.00.0049
Conexant D480 MDC V.9x Modem
Dell Driver Reset Tool
Dell Home Systems Services Agreement
Dell Media Experience
Dell Media Experience Update
Dell Photo Printer 720
Dell Picture Studio v3.0
Dell Support
Digital Line Detect
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
iPod for Windows 2005-02-07
ItsDeductible Express
iTunes
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Baseline Security Analyzer 1.2
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft XML Parser and SDK
Modem Helper
Musicmatch for Windows Media Player
Musicmatch® Jukebox
NetWaiting
New.net Domains 7.22
Photo Click
Post-it® Software Notes Lite
PowerDVD 5.2
QuickSet
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sophos Anti-Virus
Sophos AutoUpdate
Spybot - Search & Destroy 1.4
Spyware Doctor 3.8
TurboTax Basic 2004
TurboTax Basic 2005
TurboTax ItsDeductible 2005
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB910437)
Viewpoint Media Player
Webshots Desktop
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WordPerfect Office 12

 

gotty182

37 Posts

July 11th, 2006 04:00

and here is the combofix log:

 

Start Time= Mon 07/10/2006 21:57:19.00
Running from: C:\Documents and Settings\Alexandra\Desktop
 
(((((((((((((((((((((((((((((((((((((((((((((   Look2Me's Log   ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{DAFE0C68-84B5-44CA-B7EA-6999A3CBA199}]
@=""

[HKEY_CLASSES_ROOT\clsid\{DAFE0C68-84B5-44CA-B7EA-6999A3CBA199}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{DAFE0C68-84B5-44CA-B7EA-6999A3CBA199}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{DAFE0C68-84B5-44CA-B7EA-6999A3CBA199}\InprocServer32]
@="C:\\WINDOWS\\system32\\MZORC32R.DLL"
"ThreadingModel"="Apartment"
 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:
 
C:\WINDOWS\SYSTEM32\f0j2la1o1d.dll
C:\WINDOWS\SYSTEM32\j40s0ed7eh0.dll
C:\WINDOWS\SYSTEM32\k4no0e53eh.dll
C:\WINDOWS\SYSTEM32\m6lslg3716.dll
C:\WINDOWS\SYSTEM32\MZORC32R.DLL
C:\WINDOWS\SYSTEM32\q0ps0a77ed.dll

 
 Granting sedebugprivilege to Administrators   ... successful

 
((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\nwnm_1.exe
C:\kybrd_1.exe
C:\Documents and Settings\Alexandra\Local Settings\Temporary Internet Files\Content.IE5\DZNFT5CE\drsmartload[1].exe
C:\Documents and Settings\Alexandra\Local Settings\Temporary Internet Files\Content.IE5\DZNFT5CE\kybrdd_5[1].exe
C:\Documents and Settings\Alexandra\Local Settings\Temporary Internet Files\Content.IE5\PCOVXL0T\kybrdb_3[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8VU7A16L\drsmartload[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8VU7A16L\dfndra_1[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\drsmartload[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C123GHIJ\nwnmd_5[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C123GHIJ\nwnm_1[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C123GHIJ\kybrd_1[1].exe
C:\Program Files\Common Files\misc001

 
((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-10     21:31:36          681          ( A.... )   "C:\windr32.exe"
2006-07-08     23:55:54        12288          ( A.... )   "C:\setup32.exe"
2006-07-08     23:54:52        12288          ( A.... )   "C:\setup64.exe"
2006-07-08     21:25:20        12288          ( A.... )   "C:\setup.exe"
2006-07-08     20:18:18         1063       ( A.... )   "C:\WINDOWS\SYSTEM32\zrx8553c.sys"
2006-07-08     20:18:18         1063       ( A.... )   "C:\WINDOWS\SYSTEM32\zrx8553c.sys"
2006-06-30     22:17:54         3084          ( A.... )   "C:\cmdhost.exe"
2006-06-30     20:24:04        14336          ( A.... )   "C:\install64.exe"
2006-06-29     07:09:52       107076          ( A.... )   "C:\Trelew.exe"
2006-06-29     07:09:30         5989          ( A.... )   "C:\VSL02.exe"
2006-06-27     17:59:06       183296       ( A.S.. )   "C:\WINDOWS\NDNuninstall7_22.exe"
2006-06-27     17:57:30       389632          ( A.... )   "C:\webnexmk.exe"
2006-06-27     17:57:22                       ( .D... )   "C:\Program Files\EngageSidebar"
2006-06-27     17:57:20       328704       ( A.... )   "C:\WINDOWS\SYSTEM32\pre.exe"
2006-06-27     17:57:18       379392          ( A.... )   "C:\engage.exe"
2006-06-27     17:56:52       169472       ( A.... )   "C:\WINDOWS\SYSTEM32\banners.exe"
2006-06-27     17:56:50       454656          ( A.... )   "C:\regifast.exe"
2006-06-27     17:56:18       174669       ( A.... )   "C:\WINDOWS\srvepqmjvi.exe"
2006-06-27     17:56:18         2560          ( A.... )   "C:\ac3_0003.exe"
2006-06-27     17:56:10       362496          ( A.... )   "C:\526_620.exe"
2006-06-27     17:55:40        50688       ( A.S.. )   "C:\WINDOWS\NDNuninstall6_38.exe"
2006-06-27     17:55:40                       ( ADS.. )   "C:\Program Files\NewDotNet"
2006-06-27     17:55:32       266240          ( A.... )   "C:\NNSCAA638.EXE"
2006-06-27     06:36:12        21013          ( A.... )   "C:\wd7gi8n.exe"
2006-06-27     06:22:48        24757          ( A.... )   "C:\ZIGID003.exe"
2006-06-24     23:57:12          173       ( A.... )   "C:\WINDOWS\comexec.bat"
2006-06-23     18:37:36        11776          ( A.... )   "C:\boomgr.exe"
2006-06-20     16:14:02        13824       ( A.... )   "C:\WINDOWS\comserv.exe"
2006-06-14     22:18:50          154       ( A.... )   "C:\WINDOWS\comfix.bat"
2006-06-14     21:03:46       114174       ( A.... )   "C:\WINDOWS\hostsmgr.exe"
2006-06-12     14:09:18        10752       ( A.... )   "C:\WINDOWS\SYSTEM32\Shlesb.dll"
2006-06-08     16:23:42                       ( .D... )   "C:\Program Files\Spyware Doctor"
2006-06-08     16:23:42                       ( .D... )   "C:\Documents and Settings\Alexandra\Application Data\PC Tools"
2006-06-08     14:47:54                       ( .D... )   "C:\Documents and Settings\Alexandra\Application Data\Lavasoft"
2006-06-08     14:47:40                       ( .D... )   "C:\Program Files\Lavasoft"
2006-06-08     14:22:44                       ( .D... )   "C:\Program Files\Softwin"
2006-06-08     14:18:40                       ( .D... )   "C:\Program Files\Common Files\Softwin"
2006-06-04     04:29:42           61       ( A.... )   "C:\WINDOWS\comhost.bat"
2006-06-01     06:05:36       174669       ( A.... )   "C:\WINDOWS\srvmmgtinf.exe"
2006-05-29     21:08:56       108462       ( A.... )   "C:\WINDOWS\manager.exe"
2006-05-27     12:45:02         8464       ( A.... )   "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-05-27     12:25:34                       ( .D... )   "C:\Program Files\Windows"
2006-05-27     12:22:02       360115       ( A.... )   "C:\WINDOWS\visfx500.exe"
2006-05-21     23:11:34        66560       ( ..... )   "C:\WINDOWS\wmapsrvs.exe"
2006-04-10     13:00:30       144688       ( ..... )   "C:\WINDOWS\SYSTEM32\WgaLogon.dll"


((((((((((((((((((((((((((((((((((((((   Files Created - Last 30days   )))))))))))))))))))))))))))))))))))))))))))


2006-07-10 21:31 681  C:\windr32.exe
2006-07-08 23:55 12,288  C:\setup32.exe
2006-07-08 23:54 12,288  C:\setup64.exe
2006-07-08 20:12 12,288  C:\setup.exe
2006-06-30 22:16 3,084  C:\cmdhost.exe
2006-06-30 19:45 14,336  C:\install64.exe
2006-06-29 06:58 5,989  C:\VSL02.exe
2006-06-29 06:57 107,076  C:\Trelew.exe
2006-06-27 17:57 389,632  C:\webnexmk.exe
2006-06-27 17:57 328,704  C:\WINDOWS\system32\pre.exe
2006-06-27 17:56 994,208  C:\WINDOWS\lvbqsyj.exe
2006-06-27 17:56 454,656  C:\regifast.exe
2006-06-27 17:56 379,392  C:\engage.exe
2006-06-27 17:56 362,496  C:\526_620.exe
2006-06-27 17:56 2,560  C:\ac3_0003.exe
2006-06-27 17:56 174,669  C:\WINDOWS\srvepqmjvi.exe
2006-06-27 17:56 169,472  C:\WINDOWS\system32\banners.exe
2006-06-27 17:56 1,084,784  C:\WINDOWS\lvbqsyjA.exe
2006-06-27 17:56 1,063  C:\WINDOWS\system32\zrx8553c.sys
2006-06-27 17:55 50,688  C:\WINDOWS\NDNuninstall6_38.exe
2006-06-27 17:54 266,240  C:\NNSCAA638.EXE
2006-06-27 06:13 21,013  C:\wd7gi8n.exe
2006-06-27 06:11 24,757  C:\ZIGID003.exe
2006-06-27 06:10 173  C:\WINDOWS\comexec.bat
2006-06-27 06:10 13,824  C:\WINDOWS\comserv.exe
2006-06-23 18:37 11,776  C:\boomgr.exe
2006-06-14 20:28 114,174  C:\WINDOWS\hostsmgr.exe
2006-06-12 14:09 10,752  C:\WINDOWS\system32\Shlesb.dll
2006-06-08 18:52 154  C:\WINDOWS\comfix.bat
2006-06-04 22:51 61  C:\WINDOWS\comhost.bat
2006-06-04 22:51 108,462  C:\WINDOWS\manager.exe
2006-06-01 06:05 174,669  C:\WINDOWS\srvmmgtinf.exe
2006-05-27 12:26 183,296  C:\WINDOWS\NDNuninstall7_22.exe
2006-05-27 12:23 8,464  C:\WINDOWS\system32\sporder.dll
2006-05-27 12:22 360,115  C:\WINDOWS\visfx500.exe


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1137622810\\ee\\AOLSoftware.exe"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"lvbqsyjA"="C:\\WINDOWS\\lvbqsyjA.exe"
"zrx8553c"="RUNDLL32.EXE w0030592.dll,n 0018553b000000030030592"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
 ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
 00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"mumq"="C:\\PROGRA~1\\COMMON~1\\mumq\\mumqm.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"Sen"="\"C:\\WINDOWS\\DOBE~1\\lsass.exe\" -vt yazr"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Del27800"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"mumq"="C:\\PROGRA~1\\COMMON~1\\mumq\\mumqm.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"Sen"="\"C:\\WINDOWS\\DOBE~1\\lsass.exe\" -vt yazr"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Del27800"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
 
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SAVService
 

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (ALEX-Alexandra).job

Completion time: Mon 07/10/2006 21:59:17.55
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-10.215718.txt

gotty182

37 Posts

July 11th, 2006 04:00

and lastly...here is the Hijack This logfile:

 

Logfile of HijackThis v1.99.1
Scan saved at 12:06:05 AM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\1137622810\ee\AOLSoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\lvbqsyjA.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Webshots\webshots.scr
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137622810\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [lvbqsyjA] C:\WINDOWS\lvbqsyjA.exe
O4 - HKLM\..\Run: [zrx8553c] RUNDLL32.EXE w0030592.dll,n 0018553b000000030030592
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105896564306
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmapsrvs.exe (file missing)

 

agrarianmonk

71 Posts

July 11th, 2006 05:00

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

Then go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.net Domains 7.22
Viewpoint Media Player

The following are optional; however, any time your are running any type of P2P application, you are FAR more prone to infection by malware. Your current infections are likely due to P2P use.

Ares 1.8.1

 Please note any other programs that you dont recognize in that list in your next response

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
    • Note: If the Update now option is grayed out, follow the steps below.
      • Click on Update on the toolbar.
      • Under Manual update, click on the Start Update button.
      • Wait until you see the Update succesfull message.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido. Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

***************************************

Next, please reboot your computer in SafeMode by doing the following:

  2. Restart your computer
  3. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  4. Instead of Windows loading as normal, a menu should appear
  5. Select the first option, to run Windows in Safe Mode.

  6. For additional help in booting into Safe Mode, see the following site:
    http://www.pchell.com/support/safemode.shtml

    ***************************************

    Navigate to C:\Windows\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Clean out your Temporary Internet files. Proceed like this:
    • Quit Internet Explorer and quit any instances of Windows Explorer.
    • Click Start, click Control Panel, and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.
    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
    ______________________________

    Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
    • IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)

    • When done, click the Save Scan Report button.
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
    • Press Execute and let the program do its job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.

    ***************************************

    reboot your system back into Normal Mode

    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    then run combofix for me one more time

    in your next post, please include
    • new hijackthis log
    • ewido log
    • combofix log
    • panda log

    Your may need several replies to post the requested logs, otherwise they might get cut off.

gotty182

37 Posts

July 11th, 2006 23:00

active scan report:


Incident                                                                        Status                        Location                                                                                                                                                                                                                                                       

Adware:adware/dollarrevenue                                                     Not disinfected               c:\VSL02.exe                                                                                                                                                                                                                                                   
Virus:Trj/KillAV.EG                                                             Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01QN8TYB\comhost[1].zip[manager.exe]                                                                                                                                
Adware:Adware/NewAds                                                            Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01QN8TYB\comhost[1].zip[mc-110-12-0000488.exe]                                                                                                                      
Adware:Adware/NewAds                                                            Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01QN8TYB\exec4[1].zip[cmdmgr.exe]                                                                                                                                   
Virus:Trj/Downloader.JHN                                                        Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01QN8TYB\exec4[1].zip[comserv.exe]                                                                                                                                  
Adware:Adware/NewAds                                                            Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\exec2[1].zip                                                                                                                                               
Adware:Adware/NewAds                                                            Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\exec2[2].zip                                                                                                                                               
Adware:Adware/NewAds                                                            Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\exec2[3].zip                                                                                                                                               
Adware:Adware/NewAds                                                            Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\exec4[1].zip[cmdmgr.exe]                                                                                                                                   
Virus:Trj/Downloader.JHN                                                        Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\exec4[1].zip[comserv.exe]                                                                                                                                  
Adware:Adware/NewAds                                                            Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C123GHIJ\execlib[1].zip[cmdmgr.exe]                                                                                                                                 
Adware:Adware/DollarRevenue                                                     Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C123GHIJ\execlib[1].zip[comsonie.exe]                                                                                                                               
Adware:Adware/NewAds                                                            Not disinfected               C:\WINDOWS\hostsmgr.exe                                                                                                                                                                                                                                        
Virus:Trj/KillAV.EG                                                             Disinfected                   C:\WINDOWS\manager.exe                                                                                                                                                                                                                                         
Adware:Adware/FCHelp                                                            Not disinfected               C:\WINDOWS\srvepqmjvi.exe[PECarlin.exe]                                                                                                                                                                                                                        
Adware:Adware/FCHelp                                                            Not disinfected               C:\WINDOWS\srvmmgtinf.exe[PECarlin.exe]                                                                                                                                                                                                                        

gotty182

37 Posts

July 11th, 2006 23:00

combo fix report:

 

Start Time= Tue 07/11/2006 19:13:50.59
Running from: C:\Documents and Settings\Alexandra\Desktop
 
QuickScan did not find any signs of infected files

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-11     06:41:02                       ( .D... )   "C:\Program Files\ewido anti-spyware 4.0"
2006-07-10     21:31:36          681          ( A.... )   "C:\windr32.exe"
2006-07-08     20:18:18         1063       ( A.... )   "C:\WINDOWS\SYSTEM32\zrx8553c.sys"
2006-07-08     20:18:18         1063       ( A.... )   "C:\WINDOWS\SYSTEM32\zrx8553c.sys"
2006-06-30     22:17:54         3084          ( A.... )   "C:\cmdhost.exe"
2006-06-30     20:24:04        14336          ( A.... )   "C:\install64.exe"
2006-06-29     07:09:52       107076          ( A.... )   "C:\Trelew.exe"
2006-06-29     07:09:30         5989          ( A.... )   "C:\VSL02.exe"
2006-06-27     17:57:22                       ( .D... )   "C:\Program Files\EngageSidebar"
2006-06-27     17:56:18       174669       ( A.... )   "C:\WINDOWS\srvepqmjvi.exe"
2006-06-24     23:57:12          173       ( A.... )   "C:\WINDOWS\comexec.bat"
2006-06-14     22:18:50          154       ( A.... )   "C:\WINDOWS\comfix.bat"
2006-06-14     21:03:46       114174       ( A.... )   "C:\WINDOWS\hostsmgr.exe"
2006-06-08     16:23:42                       ( .D... )   "C:\Program Files\Spyware Doctor"
2006-06-08     16:23:42                       ( .D... )   "C:\Documents and Settings\Alexandra\Application Data\PC Tools"
2006-06-08     14:47:54                       ( .D... )   "C:\Documents and Settings\Alexandra\Application Data\Lavasoft"
2006-06-08     14:47:40                       ( .D... )   "C:\Program Files\Lavasoft"
2006-06-08     14:22:44                       ( .D... )   "C:\Program Files\Softwin"
2006-06-08     14:18:40                       ( .D... )   "C:\Program Files\Common Files\Softwin"
2006-06-04     04:29:42           61       ( A.... )   "C:\WINDOWS\comhost.bat"
2006-06-01     06:05:36       174669       ( A.... )   "C:\WINDOWS\srvmmgtinf.exe"
2006-05-27     12:45:02         8464       ( A.... )   "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-05-27     12:25:34                       ( .D... )   "C:\Program Files\Windows"
2006-05-27     12:22:02       360115       ( A.... )   "C:\WINDOWS\visfx500.exe"


((((((((((((((((((((((((((((((((((((((   Files Created - Last 30days   )))))))))))))))))))))))))))))))))))))))))))


2006-07-11 07:34 73,728  C:\WINDOWS\system32\asuninst.exe
2006-07-11 07:34 11,776  C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-10 21:31 681  C:\windr32.exe
2006-06-30 22:16 3,084  C:\cmdhost.exe
2006-06-30 19:45 14,336  C:\install64.exe
2006-06-29 06:58 5,989  C:\VSL02.exe
2006-06-29 06:57 107,076  C:\Trelew.exe
2006-06-27 17:56 174,669  C:\WINDOWS\srvepqmjvi.exe
2006-06-27 17:56 1,063  C:\WINDOWS\system32\zrx8553c.sys
2006-06-27 06:10 173  C:\WINDOWS\comexec.bat
2006-06-14 20:28 114,174  C:\WINDOWS\hostsmgr.exe
2006-06-08 18:52 154  C:\WINDOWS\comfix.bat
2006-06-04 22:51 61  C:\WINDOWS\comhost.bat
2006-06-01 06:05 174,669  C:\WINDOWS\srvmmgtinf.exe
2006-05-27 12:23 8,464  C:\WINDOWS\system32\sporder.dll
2006-05-27 12:22 360,115  C:\WINDOWS\visfx500.exe


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1137622810\\ee\\AOLSoftware.exe"
"zrx8553c"="RUNDLL32.EXE w0030592.dll,n 0018553b000000030030592"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /RM /QS /X"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
 ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
 00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"mumq"="C:\\PROGRA~1\\COMMON~1\\mumq\\mumqm.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"Sen"="\"C:\\WINDOWS\\DOBE~1\\lsass.exe\" -vt yazr"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Del27800"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"mumq"="C:\\PROGRA~1\\COMMON~1\\mumq\\mumqm.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"Sen"="\"C:\\WINDOWS\\DOBE~1\\lsass.exe\" -vt yazr"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Del27800"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
 
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SAVService
 

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (ALEX-Alexandra).job

Completion time: Tue 07/11/2006 19:14:29.41
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-10.215718.txt
ComboFix.2006-07-11.191350.txt

gotty182

37 Posts

July 11th, 2006 23:00

ewido report:

 

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at: 7:23:41 AM 7/11/2006

 + Scan result: 

 

C:\Program Files\EngageSidebar\EffBar.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\Ldresb\Ldresb.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\Shlesb.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8VU7A16L\comber2[1].zip/booterror.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8VU7A16L\comber2[2].zip/booterror.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01QN8TYB\bootcom[1].zip -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\WINDOWS\comserv.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\wd7gi8n.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\ac3_0003.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\pre.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\engage.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\regifast.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\webnexmk.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\526_620.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\banners.exe -> Hijacker.IntelliAdvert : Cleaned with backup (quarantined).
C:\WINDOWS\lvbqsyj.exe -> Hijacker.VB.ij : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01QN8TYB\!update-4020[1].0000 -> Trojan.PurityAd : Cleaned with backup (quarantined).


::Report end

 

gotty182

37 Posts

July 11th, 2006 23:00

and lastly...hijack this log file:

 

Logfile of HijackThis v1.99.1
Scan saved at 7:18:32 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\1137622810\ee\AOLSoftware.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
O2 - BHO: EffBarBHO - {15E38167-B065-4BB5-B987-9F04B1E85AEA} - C:\Program Files\EngageSidebar\EffBar.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137622810\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [zrx8553c] RUNDLL32.EXE w0030592.dll,n 0018553b000000030030592
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /RM /QS /X
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105896564306
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmapsrvs.exe (file missing)

 

agrarianmonk

71 Posts

July 12th, 2006 02:00

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.

Go to Start > Run and type Services.msc then hit Ok
Scroll down and find the below service:

Microsoft WMI Performance Adapter AddOn (WMIPerAddOn)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

R3 - Default URLSearchHook is missing
O2 - BHO: EffBarBHO - {15E38167-B065-4BB5-B987-9F04B1E85AEA} - C:\Program Files\EngageSidebar\EffBar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: RUNDLL32.EXE w0030592.dll,n 0018553b000000030030592
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmapsrvs.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Still in Hijackthis, click on the Config button (bottom right), click on Misc Tools, then click on Delete an NT Service. A window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

WMIPerAddOn

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click NO.

  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  • c:\VSL02.exe
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01QN8TYB\comhost[1].zip
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01QN8TYB\exec4[1].zip
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\exec2[1].zip
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\exec2[2].zip
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\exec2[3].zip
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XCZAH6L\exec4[1].zip
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C123GHIJ\execlib[1].zip
    C:\WINDOWS\hostsmgr.exe
    C:\WINDOWS\manager.exe
    C:\WINDOWS\srvepqmjvi.exe
    C:\WINDOWS\srvmmgtinf.exe
    C:\windr32.exe
    C:\cmdhost.exe
    C:\install64.exe
    C:\Trelew.exe
    C:\WINDOWS\system32\zrx8553c.sys
    C:\WINDOWS\hostsmgr.exe
    C:\WINDOWS\system32\sporder.dll
    C:\WINDOWS\visfx500.exe
    C:\WINDOWS\wmapsrvs.exe
    C:\WINDOWS\system32\w0030592.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • NOTE: You must use the File menu--pasting by right-clicking the mouse will only enter one file.


  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After reboot,

delete the following folder (if present):

C:\Program Files\ EngageSidebar\

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select AllClick the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select AllClick the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.

then, post a new hijackthis log

also let me know how your computer is running at the moment and if problems persist.

Message Edited by agrarianmonk on 07-11-200608:29 PM

Message Edited by agrarianmonk on 07-11-200608:29 PM

gotty182

37 Posts

July 13th, 2006 03:00

Logfile of HijackThis v1.99.1
Scan saved at 11:14:17 PM, on 7/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\1137622810\ee\AOLSoftware.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137622810\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105896564306
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

 

******The computer is running beautifuly. Thank you very much for all this help!

agrarianmonk

71 Posts

July 13th, 2006 04:00

Congratulations, your log looks clean! Are you having any other problems?

If not, we have just a couple of last steps to perform and then you're all set.

Let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • 1. Turn off System Restore.
    • On the Desktop, right-click My Computer.Click Properties.
      Click the System Restore tab.
      Check Turn off System Restore.
      Click Apply, and then click OK.

    2. Restart your computer.

    3. Turn ON System Restore.
    • On the Desktop, right-click My Computer.Click Properties.
      Click the System Restore tab.
      UN-Check Turn off System Restore.
      Click Apply, and then click OK.

System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 2 free ones available for personal use:
To keep your operating system up to date visit
monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!


(Please respond to this thread one more time so we can mark this thread as resolved.)

gotty182

37 Posts

July 15th, 2006 01:00

Thanks for all your help! you did a wonderful job...it all seems to be running well

Was this post helpful?

View All

No Events found!

Top