« previous next »
Pages: [1] 2

Author Topic: Malware?  (Read 4358 times)

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« on: May 24, 2006, 12:40:18 AM »
Yesterday, I got a virus warning on my computer so I ran ad-ware and it deleted most the 'harmful' files but a registry value or something didn't delete and I ran it over and over again but it's still there. On the comment column, it says "Shell Possibly Compromised" and I don't know what that is....

Can anyone help me with this like delete it or something?  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />  It's very frustrating and it slows down my computer.

Thank you in advance.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware?
« Reply #1 on: May 24, 2006, 09:58:30 PM »
From my signature below, download and save too a permanent folder of it's own onto your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe

Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log  here... Don't try and fix anything yet----It is all important
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #2 on: May 25, 2006, 12:48:56 AM »
Ok... it gave me this:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:15 PM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\bmdv\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\thgjnqkA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32097-45512001.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\XPAgent.exe
C:\WINDOWS\system32\msvbvm50.exe
C:\windows\system32\rlvknlg.exe
C:\WINDOWS\system32\ntvdmd.exe
C:\WINDOWS\system32\hotplug.exe
C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe
C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\PROGRA~1\COMMON~1\mrmi\mrmia.exe
c:\windows\system32\dwdsregt.exe
c:\SS1001.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\twinpqez.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jrnie.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,umumpar.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [thgjnqkA] C:\WINDOWS\thgjnqkA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [{F6-6B-B6-6F-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [msoeacct] "C:\WINDOWS\system32\msoeacct.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"
O4 - HKCU\..\Run: [netmsg] "C:\WINDOWS\system32\netmsg.exe"
O4 - HKCU\..\Run: [mfc42enu] "C:\WINDOWS\system32\mfc42enu.exe"
O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"
O4 - HKCU\..\Run: [ieencode] "C:\WINDOWS\system32\ieencode.exe"
O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\RunOnce: [Del41] cmd /c del C:\DOCUME~1\ngo\LOCALS~1\Temp\BundleInstall.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe
O4 - Startup: Z_Start.lnk = C:\ZIGID003.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B933694-63E1-4135-82D1-1858031918E2}: NameServer = 69.19.189.116 66.81.0.252
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B933694-63E1-4135-82D1-1858031918E2}: NameServer = 69.19.189.116 66.81.0.252
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\arsnt.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\dzmstor.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\thgjnqk.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware?
« Reply #3 on: May 25, 2006, 08:37:17 AM »
You have a few problems on this computer
We should be able to clear it all however

Can you start with the following then we'll see where we stand

Can you download this tool please
LSPfix
Save and extract too desktop
Don't run it yet, we'll need it later

Download the latest version of Look2Me-Remover.exe by Atribune
and save it to your desktop

* Close all windows before continuing.
      * Double-click Look2Me-Remover.exe to run it.
      * Put a check next to Run this program as a task.
      * You will receive a message saying Look2Me-Remover will close and re-open in 1 minute. Click OK
      * When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
      * Once it's done scanning, click the Remove L2M button.
      * You will receive a Done Scanning message, click OK.
      * When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
      * Your computer will then shutdown.
      * After it has completed the shutdown>>Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Back in Windows

Post back all the following please
Even if it takes more than one reply to do so

1. Post back a fresh hijackthis log
2. Post the report from Look2Me-Destroyer, which may be found on your desktop or at C:\Look2Me-Destroyer.txt

3. I would like to see a different log from Hijackthis, close and then reopen Hijackthis
Open the "Misc tools section">>Open the "Uninstall Manager">>Click the SAVE LIST button
Save the list too desktop then copy and paste back here the Whole contents please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Run35c4p3H4ck3r

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #4 on: May 25, 2006, 10:50:49 AM »
hey if this is any help i had something like that i went in safe mode and then deleted and it worked (safe mode:push f8 at system start up)then choose safe mode
Logged

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #5 on: May 25, 2006, 07:48:36 PM »
[quote name=\'guestolo\' post=\'125736\' date=\'May 25 2006, 07:37 AM\']You have a few problems on this computer
We should be able to clear it all however

Can you start with the following then we'll see where we stand

Can you download this tool please
LSPfix
Save and extract too desktop
Don't run it yet, we'll need it later

Download the latest version of Look2Me-Remover.exe by Atribune
and save it to your desktop

* Close all windows before continuing.
      * Double-click Look2Me-Remover.exe to run it.
      * Put a check next to Run this program as a task.
      * You will receive a message saying Look2Me-Remover will close and re-open in 1 minute. Click OK

Okm
      * When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
      * Once it's done scanning, click the Remove L2M button.
      * You will receive a Done Scanning message, click OK.
      * When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
      * Your computer will then shutdown.
      * After it has completed the shutdown>>Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Back in Windows

Post back all the following please
Even if it takes more than one reply to do so

1. Post back a fresh hijackthis log
2. Post the report from Look2Me-Destroyer, which may be found on your desktop or at C:\Look2Me-Destroyer.txt

3. I would like to see a different log from Hijackthis, close and then reopen Hijackthis
Open the "Misc tools section">>Open the "Uninstall Manager">>Click the SAVE LIST button
Save the list too desktop then copy and paste back here the Whole contents please[/quote]

Ok, for some reason, Look2me isn't responding. I did what you instructed and it froze when I clicked "Run this program as a task" http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware?
« Reply #6 on: May 25, 2006, 07:56:46 PM »
Go to START>>RUN>>copy and paste the following command below in bold and then hit OK
 try the instructions again please with Look2me-destroyer

sc start schedule
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #7 on: May 25, 2006, 08:13:57 PM »
Nup, it's still not responding.... =__=
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware?
« Reply #8 on: May 25, 2006, 08:15:10 PM »
That's OK, it's probably other malware interfering with the fix
Can you please post that uninstall list from Hijackthis please

We'll pick away at your problems till we have them all eliminated  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #9 on: May 25, 2006, 08:23:16 PM »
[quote name=\'Run35c4p3H4ck3r\' post=\'125797\' date=\'May 25 2006, 09:50 AM\']hey if this is any help i had something like that i went in safe mode and then deleted and it worked (safe mode:push f8 at system start up)then choose safe mode[/quote]

Thanks, I tried that but it didn't work D;
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware?
« Reply #10 on: May 25, 2006, 08:27:40 PM »
Ryugata, are you with me on this   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />
I need to see that list from Hijackthis
open Hijackthis
Open the "Misc tools section">>Open the "Uninstall Manager">>Click the SAVE LIST button
Save the list too desktop then copy and paste back here the Whole contents please

Run35c4p3H4ck3r>>Stay out of this thread unless you have something useful to add

Ryugata
If you want to stop what we are about to do, let me know, so we don't waste each others time
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #11 on: May 25, 2006, 08:41:13 PM »
^__^Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Illustrator CS
Adobe Photoshop CS2
Adobe Reader 6.0.1
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
AIM+ (remove only)
Anti-Leech Plugin for Internet Explorer
AOL Instant Messenger
ArcSoft Camera Suite 1.3
BitTornado 0.3.8
Brother MFL Pro Suite
CC_ccStart
ccCommon
CDisplay 1.8
C-Media WDM Audio Driver
Command
Creative WebCam Center
Creative WebCam Live! Pro Driver (1.01.01.1011)
Creative WebCam Live! Pro User's Guide (English)
DivX
DivX Player
Enhanced Ads by Zeno removal
Get Yahoo! Messenger
GSpot Codec Information Appliance
Hijackthis 1.99.1
HijackThis 1.99.1
ICQ  Toolbar
ICQ 5
IE Help
InterActual Player
InterVideo WinDVD Recorder 5
Java 2 Runtime Environment Standard Edition v1.3.1_04
KC Softwares VideoInspector
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
LJ.NET
LrcEdit 1.0
Macromedia Flash Player 8
Macromedia Shockwave Player
Mario Forever v 2.16 !
Media Access
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Windows Journal Viewer
mIRC
Mozilla Firefox (1.5)
MP30x Tools1.0
MSN
MSN Messenger 7.5
MSRedist
Nero OEM
Network Monitor
New.net Domains 7.22
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton WMI Update
PaperPort 8.0 SE
RadLight 4 BETA 1 (remove only)
RealPlayer
RelevantKnowledge
S3 S3Chromo
S3 S3Config3D
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
S3 S3RefreshLock
S3 S3TrayPlus
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Snowball Wars by OIN
Spybot - Search & Destroy 1.3
SpyHunter
Surf SideKick
Symantec Script Blocking Installer
SymNet
Synapse Media Player
TrustSiteX 1.0 Control
TSA
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VobSub v2.23 (Remove Only)
Web Nexus Network
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
Yahoo! extras
Yahoo! Install Manager
Yahoo! Messenger
YSIGet
Zeno Search Assistant removal
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware?
« Reply #12 on: May 25, 2006, 08:55:00 PM »
Some of the problems you have are going to need special tools
Others may remove easily

Can you do the following please
A couple entries in your log may cause a loss of Internet connection if improperly removed
I know you have LSP fix, but can I also have you download and save to your desktop
Winsockfix XP
Don't run it, just leave it there in case we need it

Access your add/remove programs
Remove all the following please, IF you can
If you can't remove something, just carry on
Reboot after you have removed all that you can from the list I posted below

Command
Enhanced Ads by Zeno removal
Media Access
Network Monitor
New.net Domains 7.22
RelevantKnowledge
Surf SideKick
TSA
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Nexus Network
Windows Overlay Components
Zeno Search Assistant removal

After you have removed the above, or any of the above you can
Finally, remove
Spybot - Search & Destroy 1.3
Spybot is a great program, but your version is outdated, we'll get you the latest version later

Finally, reboot the computer

Back in Windows

Try and run Look2Me-Destroyer again with the instructions I gave earlier
If it won't run, that's fine
If it will run Post the log from it please

Along with a fresh hijackthis log

If Look2me-destroyer still won't run, can you do the following
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT:  Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.[/color]

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #13 on: May 25, 2006, 09:38:24 PM »
YAY! Look2Me is running~ OK I got everything out except "Command"

Here are the lists:
Look2Me log:
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/25/2006 7:23:11 PM

Infected! C:\WINDOWS\system32\arsnt.dll
Infected! C:\WINDOWS\system32\dzmstor.dll
Infected! C:\WINDOWS\system32\arsnt.dll
Infected! C:\WINDOWS\system32\dzmstor.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\arsnt.dll
C:\WINDOWS\system32\arsnt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dzmstor.dll
C:\WINDOWS\system32\dzmstor.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\arsnt.dll
C:\WINDOWS\system32\arsnt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dzmstor.dll
C:\WINDOWS\system32\dzmstor.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A7E0209B-5E89-4238-A94A-34616BA3CBD6}"
HKCR\Clsid\{A7E0209B-5E89-4238-A94A-34616BA3CBD6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6953E308-BD96-4820-A323-FD7462417385}"
HKCR\Clsid\{6953E308-BD96-4820-A323-FD7462417385}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

The Hijackthis list:
Logfile of HijackThis v1.99.1
Scan saved at 7:31:14 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\bmdv\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\defender22.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32097-45512001.exe
C:\WINDOWS\system32\XPAgent.exe
C:\WINDOWS\system32\msvbvm50.exe
C:\WINDOWS\system32\ntvdmd.exe
C:\WINDOWS\system32\hotplug.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jrnie.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,umumpar.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [msoeacct] "C:\WINDOWS\system32\msoeacct.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"
O4 - HKCU\..\Run: [netmsg] "C:\WINDOWS\system32\netmsg.exe"
O4 - HKCU\..\Run: [mfc42enu] "C:\WINDOWS\system32\mfc42enu.exe"
O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"
O4 - HKCU\..\Run: [ieencode] "C:\WINDOWS\system32\ieencode.exe"
O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you so much for helping me. I really appreciate it :3
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware?
« Reply #14 on: May 25, 2006, 09:47:45 PM »
Good work
Onto the next step,  I want to ensure we get you totally clean
So  stick with me until we are completely done please

Please download [color=\"red\"]Brute Force Uninstaller[/color][/b] to your desktop. (rightclick on this link and choose save as, if using IE save target as)
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
  • Download [color=\"red\"]qoofix.bat[/color] (rightclick on this link and choose save as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder. [color=\"#FF0000\"](Important!)[/color]
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.
« Last Edit: May 25, 2006, 09:51:15 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #15 on: May 25, 2006, 10:18:30 PM »
New list:

Logfile of HijackThis v1.99.1
Scan saved at 8:14:47 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\bmdv\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\defender22.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32097-45512001.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\XPAgent.exe
C:\WINDOWS\system32\kbdth3.exe
C:\WINDOWS\system32\msvbvm50.exe
C:\WINDOWS\system32\ntvdmd.exe
C:\WINDOWS\system32\hotplug.exe
C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\twinpqez.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"
O4 - HKCU\..\Run: [netmsg] "C:\WINDOWS\system32\netmsg.exe"
O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"
O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware?
« Reply #16 on: May 25, 2006, 10:44:59 PM »
Next step: Let's get you that updated Spybot and a couple other tools

But first
[color=\"#CC0000\"]RIGHT CLICK HERE[/color]
 and choose "Save As" (in IE it's "Save Target As") in order to download  [color=\"#3333FF\"]Alcanshorty.bfu[/color].
Save it in the folder you made earlier (C:\BFU)
So you now have C:\Bfu\alcanshorty.bfu

==Download and install Windows CleanUp! 4.5.1
Don't run this yet

Download and Install Spybot 1.4 from
HERE
 or HERE
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Close it as we will need it later
NOTE: If you get a bad checksum error when updating, try a different download location from the top dropdown menubar

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" UNCHECK
 
    "Install background guard"
     "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the auto updater won't work
Please manually update from this link
http://www.ewido.net/en/download/updates/

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

If you have trouble getting into safe mode, let me know, if you don't have any problems carry on with the below
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu
In safe mode

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
NOTE: When you first run cleanup, it may prompt to run in demo mode, decline it as we want to run the actual cleanup on your computer
When it's done>>Click Close
DECLINE to Log off or Restart the computer

=Open the C:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to alcanshorty.bfu in the C:\BFU folder
Right click alcanshorty.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.

==Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

Remain in safe mode
==Open Ewido Anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to the desktop or someplace you will remember
Exit Ewido
NOTE: When Ewido is running, don't open any other windows, let it run uninterrupted

Do a "System scan only" with Hijackthis and put a check next to these entries:
Not all below may show, but put a check beside the ones that you see from the below list

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003

O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"

O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"

O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

If you didn't manually add these entries to your trusted zones, check them too

O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr

Carry on with these ones if found

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


Reboot back to Normal mode
I need to see the following

1. Run a Scan and save logfile with Hijackthis and post a fresh log
2. Post the whole report from Ewidos'
« Last Edit: May 25, 2006, 10:48:29 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #17 on: May 26, 2006, 12:34:58 AM »
[quote name=\'guestolo\' post=\'126167\' date=\'May 25 2006, 09:44 PM\']Next step: Let's get you that updated Spybot and a couple other tools

But first
[color=\"#CC0000\"]RIGHT CLICK HERE[/color]
 and choose "Save As" (in IE it's "Save Target As") in order to download  [color=\"#3333FF\"]Alcanshorty.bfu[/color].
Save it in the folder you made earlier (C:\BFU)
So you now have C:\Bfu\alcanshorty.bfu

==Download and install Windows CleanUp! 4.5.1
Don't run this yet

Download and Install Spybot 1.4 from
HERE
 or HERE
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Close it as we will need it later
NOTE: If you get a bad checksum error when updating, try a different download location from the top dropdown menubar

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" UNCHECK
 
    "Install background guard"
     "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the auto updater won't work
Please manually update from this link
http://www.ewido.net/en/download/updates/

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

If you have trouble getting into safe mode, let me know, if you don't have any problems carry on with the below
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu
In safe mode

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
NOTE: When you first run cleanup, it may prompt to run in demo mode, decline it as we want to run the actual cleanup on your computer
When it's done>>Click Close
DECLINE to Log off or Restart the computer

=Open the C:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to alcanshorty.bfu in the C:\BFU folder
Right click alcanshorty.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.

==Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

Remain in safe mode
==Open Ewido Anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to the desktop or someplace you will remember
Exit Ewido
NOTE: When Ewido is running, don't open any other windows, let it run uninterrupted

Do a "System scan only" with Hijackthis and put a check next to these entries:
Not all below may show, but put a check beside the ones that you see from the below list

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003

O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"

O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"

O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

If you didn't manually add these entries to your trusted zones, check them too

O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr

Carry on with these ones if found

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot back to Normal mode
I need to see the following

1. Run a Scan and save logfile with Hijackthis and post a fresh log
2. Post the whole report from Ewidos'[/quote]

I'm sorry this is taking so long but my computer is really lagging right now. For the cleanup! part, will it delete all the files on my computer?
Logged

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Malware?
« Reply #18 on: May 26, 2006, 02:47:31 AM »
Hijackthis list:
Logfile of HijackThis v1.99.1
Scan saved at 12:15:24 AM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And the Ewido's list:
---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         12:03:27 AM, 5/26/2006
 + Report-Checksum:      4DB4B078

 + Scan result:

   HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
   C:\bintheredunthat\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
   C:\Documents and Settings\ngo\atl70.exe -> Downloader.Agent.am : Cleaned with backup
   C:\Documents and Settings\ngo\dpnhupnp.exe -> Downloader.Agent.am : Cleaned with backup
   C:\Documents and Settings\ngo\expsrv.exe -> Downloader.Small : Cleaned with backup
   C:\Documents and Settings\ngo\My Documents\Downloads\Fastmp3_Setup.exe -> Downloader.Agent.am : Cleaned with backup
   C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
   C:\Program Files\Amazing CD & DVD Burner\Partner\installer_NPS.exe -> Downloader.Adload.a : Cleaned with backup
   C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup
   C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
   C:\Program Files\Common Files\Оracle\alg.exe -> Downloader.PurityScan.cl : Cleaned with backup
   C:\Program Files\se -> Adware.WindowEnhancer : Cleaned with backup
   C:\Program Files\se\Data -> Adware.WindowEnhancer : Cleaned with backup
   C:\Program Files\se\Data\app.dat -> Adware.WindowEnhancer : Cleaned with backup
   C:\Program Files\se\Data\bm.dat -> Adware.WindowEnhancer : Cleaned with backup
   C:\Program Files\se\v11 -> Adware.WindowEnhancer : Cleaned with backup
   C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup
   C:\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
   C:\VSL.dl_ -> Downloader.Small.ctp : Cleaned with backup
   C:\warebundle.exe -> Adware.Look2Me : Cleaned with backup
   C:\WINDOWS\bmdv\asappsrv.dll -> Adware.CommAd : Cleaned with backup
   C:\WINDOWS\bmdv\command.exe -> Adware.CommAd : Cleaned with backup
   C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
   C:\WINDOWS\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
   C:\WINDOWS\system32\catsrvut.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\diskcopy.exe -> Downloader.Agent.am : Cleaned with backup
   C:\WINDOWS\system32\encdec.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\expsrv.exe -> Downloader.Agent.am : Cleaned with backup
   C:\WINDOWS\system32\fmifs.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\hid.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\hnetwiz.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\icaapi.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\ieakeng.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\ifsutil.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\ir50_qcx.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\jit.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\kbdth3.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\mfc42enu.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\MSAgentXP.exe -> Downloader.Reqlook.c : Cleaned with backup
   C:\WINDOWS\system32\msftedit.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\msoeacct.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\msvcp70.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\mtxlegih.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\netmsg.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\ntmsdba.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\pautoenr.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\rasmans.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\sfcfiles.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\sqlwoa.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\srvsvc.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\sysinv.exe -> Downloader.Agent.am : Cleaned with backup
   C:\WINDOWS\system32\test.bmp -> Downloader.Reqlook.d : Cleaned with backup
   C:\WINDOWS\system32\twnlib20.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\untfs.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\vbajet32.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\wiaservc.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\wmstream.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\wshisn.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\wshtcpip.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\XPAgent.exe -> Downloader.Agent.acr : Cleaned with backup
   C:\WINDOWS\system32\xvidcore.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\xvidvfw.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
   C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
   C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
   C:\WINDOWS\win32097-45512001.exe -> Adware.Enbrow : Cleaned with backup
   C:\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware?
« Reply #19 on: May 26, 2006, 08:57:00 AM »
Looking good, still a bit of cleanup to do
Go to START>>RUN>>copy and paste the next command into the open field then hit OK
sc delete cmdService

Can you do the following please
Do a "Scan only" with Hijackthis and put a check next to these entries:

O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in Windows
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Left click to Highlight Command if found and click the Delete This Entry button
Ok the prompt
Exit Hijackthis

Your Java is way out of date, we need to update it
Access your add/remove programs and remove
Java 2 Runtime Environment Standard Edition v1.3.1_04
Afterwards, go to the following link to update Java
http://www.java.com/en/download/manual.jsp
I find the Windows OFFLINE installation the best
Save the installer to desktop
Double click to install, follow the prompts

Use Internet Explorer and go to this website
Panda ActiveScan
Before running the online virus scan, you may want to disable Norton's autoprotect
    * Once you are on the Panda site click the Scan your PC button.
    * A new window will open...click the big Check Now button.
    * Enter your Country.
    * Enter your State/Province.
    * Enter your e-mail address.
    * Select either "Home User or Company."
    * Click the big Scan Now button.
    * Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.

* Click on MyComputer to start the scan.

When the scan is complete
 click See Report, then click Save Report and save it to your Desktop.

Reboot the computer

Come back here
Post a fresh hijackthis log and the whole report from Panda's please
« Last Edit: May 26, 2006, 09:00:52 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1] 2
« previous next »