Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help


  • This topic is locked This topic is locked
91 replies to this topic

#1 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 04 April 2007 - 01:42 AM

I hope I am posting to the right section. Many times I have tried to open the 'new topic' page, but I have been unable to do so. I wonder if it is a symptom of the malware now in my computer.

Several issues: Popups; spontaneous explorer pages open to ebay or other commercial sites, all my emails show up as blank when I open them, compturer is slowed up, computer closes with 60 seconds notice witha message "services and controller app has encountered a problem" (then another message saying it will be closed by the NT authority in 50 secs), other problems.

Here is my AVG LOG(followed by my hHijackthis log):
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:10:18 PM 4/3/2007

+ Scan result:



C:\RECYCLER\S-1-5-18\Dc1\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP348\A0033327.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044701.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP364\A0052882.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044702.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044691.exe -> Backdoor.Agent.aju : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044692.exe -> Backdoor.Agent.aju : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP349\A0033359.exe -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044700.sys -> Rootkit.Agent.dh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044697.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044693.exe -> Worm.Zhelatin.ce : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044694.exe -> Worm.Zhelatin.ce : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044695.exe -> Worm.Zhelatin.ce : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__a_d_i_r_k_a_._e_x_e_ -> Worm.Zhelatin.ce : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B07054B-0478-43FC-AADE-A408449A14C3}\RP361\A0044699.exe -> Worm.Zhelatin.cf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sca.exe -> Worm.Zhelatin.cg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\smt.exe -> Worm.Zhelatin.cg : Cleaned with backup (quarantined).


::Report end

Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:40:52 AM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe



C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6CAAFCFF-0D0D-7E90-DFA0-07121518D152} - C:\WINDOWS\system32\wvtetoi.dll
O2 - BHO: (no name) - {6E9A8865-44A0-1154-A34B-67E3389FFFC9} - C:\WINDOWS\system32\dhthkbei.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: 0 - {A3EC8848-59D5-41B4-CF82-DB69B8462960} - C:\Program Files\Internet Explorer\qucaw.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [adirka] C:\WINDOWS\system32\adirka.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136866715612
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151131197821
O17 - HKLM\System\CCS\Services\Tcpip\..\{22977208-5E3F-4CEF-AE28-C78E5F2BB5EF}: NameServer = 85.255.116.94 85.255.112.88
O17 - HKLM\System\CS3\Services\Tcpip\..\{22977208-5E3F-4CEF-AE28-C78E5F2BB5EF}: NameServer = 85.255.116.94 85.255.112.88
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjre32 - winjre32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Edited by Mike H, 04 April 2007 - 01:45 AM.

    Advertisements

Register to Remove


#2 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 04 April 2007 - 05:07 AM

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!

You have several serious infections on this machine..Probably becuse you have no anti virus active and running.
AVG anti Malware is a good program but is designed to run along side your anti virus progam. It does not take the place of one.




It looks like you have been infected by a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.
If this were on my machine I would reformat it now.


If you would like to try and fix this I will do my best to help you. But I can not gaurantee the security of your computer.



Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.


Next:
Click Start> Run> type in CMD tap enter key
Copy/Paste: ipconfig /flushdns



Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.


If you have internet connection problems do this:

Please go to Start -> Control Panel, and choose Network Connections.
Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.



________________________________________________________________

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

C:\fixwareout\report.txt

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


_______________________________________

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

_____________________________________________________



1. Download Combo fix from one of these locations.
http://www.techsuppo...Bs/ComboFix.exe
http://download.blee...Bs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

_______________________________________



I see no signs of an anti virus program.. I suggest you get one in asap.
I will list 2 free anti virus programs just choose 1.

AVG FREE

Avast

Download and install one of these and run a full scan.


In your next reply I would like to see:
  • A new HJT log
  • The report from Wareout
  • ]The report from S&D fix
  • ]The report from Vundo
  • The report from combo fix

Edited by bob4, 04 April 2007 - 05:12 AM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#3 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 04 April 2007 - 01:13 PM

Hi, I will do as you say on the computer. I do use two forms of antivirus protection that is running all the time: SpywareBlaster and Microsoft's own Window Defender. I also clean my computer with ad-Aware, Spybot and AVG very frequently -weekly in any case.

#4 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 05 April 2007 - 05:40 PM

Below is, first, my new HijackThis log. Then, next, is my SDFix log. I ran the SDFix program as advised. Running it occurred a little differently than was suggested in the following regards:

First, once the SD program was unzipped, it was difficult to find it in safe mode on my desktop. It automatically opened under C: and the SD folder was there, so I ran the Runthis.bat from C:.

When it was through, the SDFix program did indeed instruct to press any key to restart. But here's the thing: Windows got stuck here. I gave the computer 14 minutes to reboot, but it remained stuck with no signs of activity at the "windows is restarting" screen.

So I restarted in safe mode and ran SDfix Runthis.bat again (to be safe). When it finished, I pressed a key and it did reboot. This time the SDFix screen came up after the roboot to state that it was finishing cleaning.

When it did, it recommended that I then run the Catchme.exe program in the folder to remove more problem files. I ran this, but I notice that while it found hidden programs, it did not state that it had removed them (?).

Afterward, another problem occurred: A blue screen came up with the following message: A PROBLEM HAS BEEN DETECTED AND YOUR COMPUTER SHUTDOWN. SHUTDOWN CAUSED BY BY FILE: NTFS.SYSS DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS.

I rebooted and am now pasting the logs below. I hop[e this wasn't too much extraneous information. I appreciate your help.

Logfile of HijackThis v1.99.1
Scan saved at 7:20:05 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6CAAFCFF-0D0D-7E90-DFA0-07121518D152} - C:\WINDOWS\system32\wvtetoi.dll
O2 - BHO: (no name) - {6E9A8865-44A0-1154-A34B-67E3389FFFC9} - C:\WINDOWS\system32\dhthkbei.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: 0 - {A3EC8848-59D5-41B4-CF82-DB69B8462960} - C:\Program Files\Internet Explorer\qucaw.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136866715612
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151131197821
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjre32 - winjre32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Log from SDFix:


SDFix: Version 1.76

Run by Mike H - Thu 04/05/2007 - 18:47:49.87

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX




Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\SRK_32.EXE - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\mst28.bat - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\mst2A.bat - Deleted
C:\WINDOWS\Temp\mst22.bat - Deleted
C:\WINDOWS\Temp\stdrun2.exe - Deleted
C:\WINDOWS\Temp\stdrun4.exe - Deleted
C:\WINDOWS\Temp\stdrun5.exe - Deleted
C:\WINDOWS\Temp\stdrun7.exe - Deleted
C:\WINDOWS\system32\zoom.exe.exe - Deleted
C:\WINDOWS\s32.txt - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\unsvchosts.exe - Deleted
C:\WINDOWS\Temp\_td11.tmp - Deleted
C:\WINDOWS\Temp\_td12.tmp - Deleted
C:\WINDOWS\Temp\_td4D.tmp - Deleted
C:\WINDOWS\Temp\kaw - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
C:\WINDOWS\ws386.ini - Deleted
C:\SDFix\SDFix\backups_old1\mst22.bat - Deleted
C:\SDFix\SDFix\backups_old1\mst28.bat - Deleted
C:\SDFix\SDFix\backups_old1\mst2A.bat - Deleted
C:\SDFix\SDFix\backups_old1\stdrun2.exe - Deleted
C:\SDFix\SDFix\backups_old1\stdrun4.exe - Deleted
C:\SDFix\SDFix\backups_old1\stdrun5.exe - Deleted
C:\SDFix\SDFix\backups_old1\stdrun7.exe - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted



ADS Check:

C:\WINDOWS\system32
:lzx32.sys 74620
Total size: 74620 bytes.


Removing ADS...

system32: deleted 74620 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Rootkit PE386 maybe active, Use a Rootkit scanner!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Disabled:Microsoft Fax Console"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\HP\\Photosmart Essential\\HP_IZE.exe"="C:\\Program Files\\HP\\Photosmart Essential\\HP_IZE.exe:*:Enabled:HP Photosmart Essential"
"C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"
"C:\\WINDOWS\\system32\\vexga4m1et4.exe"="C:\\WINDOWS\\system32\\vexga4m1et4.exe:*:Enabled:enable"
"C:\\DOCUME~1\\MIKEH~1\\LOCALS~1\\Temp\\8.tmp.exe"="C:\\DOCUME~1\\MIKEH~1\\LOCALS~1\\Temp\\8.tmp.exe:*:Enabled:qwertybot"
"C:\\WINDOWS\\system32\\qwertybot.exe"="C:\\WINDOWS\\system32\\qwertybot.exe:*:Enabled:qwertybot"
"C:\\WINDOWS\\system32\\smt.exe"="C:\\WINDOWS\\system32\\smt.exe:*:Enabled:enable"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\Mike H\My Documents\PFT19.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0838e3ca46c974d22be0ec664b800381\BIT4.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

One more thing: when I went into C: I found a file for "UC More-The Search Accelerator" whic I recognize as some form of malware. But it does not yest seem to be installed and does not show up on my add/remove programs screen. Should I simply delete the folder?


Thank you,

MIke H

Edited by Mike H, 05 April 2007 - 05:46 PM.


#5 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 06 April 2007 - 01:37 AM

Following the further instructions, above, I am now including the FixWare log, then a new Hijack this log.

Here is the Fixware:


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Dell Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"PCTVOICE"="pctspk.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"!AVG Anti-Spyware"="\"C:\\Program Files\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it

Rustock pe386 is present
»»»»» End report »»»»»


Here is a new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:34:50 AM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6CAAFCFF-0D0D-7E90-DFA0-07121518D152} - C:\WINDOWS\system32\wvtetoi.dll
O2 - BHO: (no name) - {6E9A8865-44A0-1154-A34B-67E3389FFFC9} - C:\WINDOWS\system32\dhthkbei.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: 0 - {A3EC8848-59D5-41B4-CF82-DB69B8462960} - C:\Program Files\Internet Explorer\qucaw.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136866715612
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151131197821
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjre32 - winjre32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#6 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 06 April 2007 - 02:00 AM

There were no problems reported with the Vundo program and it gave no text.

Below is the text from Combo Fix:

ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Mike H\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\Common Files\{3CECE~1\Bar888.dll
C:\Program Files\Common Files\{3CECE~1\UnInstall.exe
C:\WINDOWS\g32.txt
C:\WINDOWS\gs32.txt
C:\WINDOWS\system32\config\system~1\applic~1\install.dat
C:\Program Files\ipwindows
C:\Program Files\web buying
C:\WINDOWS\system32\bund1
C:\WINDOWS\trace
C:\Program Files\Common Files\{3CECE~1
C:\Program Files\Common Files\{4CECE~1
C:\WINDOWS\system32\a3dxq.dll
C:\WINDOWS\system32\lzx32.sys
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\FNTS~1
C:\qoobox\purity\Program Files\YSTEM3~1
C:\qoobox\purity\WINDOWS\system32\YMANTE~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_MCHINJDRV
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))


2007-04-06 02:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-04-03 18:13 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-03 18:13 <DIR> d-------- C:\Program Files\AVG Anti-Spyware 7.5
2007-04-02 02:53 218,112 --a------ C:\Program Files\HijackThis.exe
2007-04-01 21:43 <DIR> d--hs---- C:\WINDOWS\TWlrZSBI
2007-03-31 10:14 <DIR> d-------- C:\63530fac73fa18291e2d055c
2007-03-31 04:39 1,183,550 --a------ C:\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat
2007-03-31 04:39 1,183,550 --a------ C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat
2007-03-31 04:38 87,040 --a------ C:\WINDOWS\system32\amsjyam.dll
2007-03-31 04:38 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-31 04:38 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-03-31 04:38 63,488 --a------ C:\WINDOWS\system32\wvtetoi.dll
2007-03-31 04:38 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-03-31 04:38 <DIR> d-------- C:\UCmore - The Search Accelerator
2007-03-26 02:04 <DIR> d-------- C:\Program Files\Sony Corporation
2007-03-26 02:04 <DIR> d-------- C:\Program Files\PIXELA
2007-03-26 02:03 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2007-03-26 02:03 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2007-03-26 02:03 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2007-03-26 02:03 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2007-03-26 02:03 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2007-03-26 02:03 <DIR> d-------- C:\Drivers


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.

2007-04-05 20:31 2400 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-02 04:28 -------- d-------- C:\Program Files\spywareblaster
2007-04-02 04:28 -------- d-------- C:\Program Files\spywareblaster
2007-03-26 02:04 -------- d--h----- C:\Program Files\installshield installation information
2007-03-26 02:04 -------- d--h----- C:\Program Files\installshield installation information
2007-03-19 01:50 -------- d-------- C:\Program Files\java
2007-03-19 01:50 -------- d-------- C:\Program Files\java
2007-02-09 07:21 -------- d-------- C:\Program Files\divx
2007-02-09 07:21 -------- d-------- C:\Program Files\divx
2007-02-01 00:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-01 00:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-01 00:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-01 00:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-31 17:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-30 19:15 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-30 01:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 01:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 01:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-30 01:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 01:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 01:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-30 00:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-30 00:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-30 00:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-30 00:56 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-01-30 00:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-30 00:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-30 00:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-30 00:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Dell Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"PCTVOICE"="pctspk.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjre32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-06 3:55:33
C:\ComboFix-quarantined-files.txt ... 07-04-06 03:55

#7 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 06 April 2007 - 02:58 PM

I believe I have given all the information that was requested (above). Problems continue -pages open up to commercial sites; my email seems compromised in two ways (1) I cannot read the text and (2) I cannot click on the 'send' button; The system restore function does not work, and when I open the calendar for a restore point, it is BLANK; system access is denied to me and I receive the message "you may not have sufficient rights to enter" -even when I am in administrator mode!

#8 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 06 April 2007 - 04:52 PM

Sorry it took so long to get back to you. My internet service went down for 2 days. :rant2:


I am going to mention this one more time for your sake.

I do use two forms of antivirus protection that is running all the time:

Those are not anti virus programs. I suggest you follow my instructions for getting one in place as described in my first reply to you.
YOU ARE NOT PROTECTED NEAR WELL ENOUGH WITH JUST THOSE 2 PROGRAMS.


Problems continue -


I also want to stress once again just how badly your computer is/was infected.
As I said we will do our best to clean it. But you had some realy nasty stuff on there !!!
There may be some things present we may never find! I just want to make that part clear.


NOTE: I will only need 1 HJT log. Run for that lof after you have done all the other things I ask here.

_________________________________
We need to disable windows defender.
A good program but may interfere with our fixes.
Open Windows Defender
Click Tools
Click General Settings
Scroll down to Real Time Protection Options
Uncheck Turn on Real Time Protection (recommended)
After you uncheck this, click on the Save button
Close Windows Defender


______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: (no name) - {6CAAFCFF-0D0D-7E90-DFA0-07121518D152} - C:\WINDOWS\system32\wvtetoi.dll
O2 - BHO: (no name) - {6E9A8865-44A0-1154-A34B-67E3389FFFC9} - C:\WINDOWS\system32\dhthkbei.dll (file missing)
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: winjre32 - winjre32.dll (file missing)



____________________________
Please download the Killbox by Option^Explicit
Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\LocalService\APPLICATION DATA\Install.dat
C:\WINDOWS\system32\amsjyam.dll
C:\WINDOWS\system32\wvtetoi.dll
C:\WINDOWS\system32\a3dxq.dll
C:\WINDOWS\system32\dhthkbei.dll
C:\WIMDOWS/SYSTEM32\winjre32.dll


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button.

Click Yes at the Delete on Reboot prompt.

Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.


If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

_____________________________
Search for and remove
Now I want you to search for and delete the following folder and all it's contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD

C:\WINDOWS\system32\micro1


_________________________________
Open HJT
this time click on
Misc tools section
then:
Open uninstall Manager
click on save list.
Post that for me.


_____________________________

Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath:

[bC:\Program Files\Internet Explorer\qucaw.dll [/b]

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.
If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html



_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.



________________________________________
Download and Save Blacklight to your desktop:

  • Doubleclick on blbeta.exe.
  • Click on Scan.
  • Once the Scan is Finished, click on Next.
  • Click on Exit.
    A new document will be produced on the desktop.
    Open this document with Notepad.
  • Copy and Paste its contents your next reply.
_______________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Kasperskys
  • ]The uninstall list from HIjack this
  • The report from Blacklight

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#9 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 06 April 2007 - 08:12 PM

Hi, Thanks again for everything. Here is the list from Hijackthis Uninstall Manager, as you asked. I have done as you asked to that point and will continue to finish the instructions. Ad-Aware SE Personal Adobe Download Manager 2.0 (Remove Only) Adobe Flash Player 9 ActiveX Adobe Reader 7.0.5 Language Support Adobe Reader 7.0.7 Adobe® Photoshop® Album Starter Edition 3.0 ALPS Touch Pad Driver Arasan 8.4 ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver AVG Anti-Spyware 7.5 Broadcom Gigabit Integrated Controller C-Major Audio Dell ResourceCD Dell Wireless WLAN Card DivX Codec DivX Content Uploader DivX Player DivX Web Player Dr Watson for Microsoft Windows OneCare Live v1.0.0971.38 EarthLink LiteScanner HijackThis 1.99.1 Hotfix for Windows XP (KB915865) HP Memories Disc HP Photo and Imaging 2.0 - Scanners HP Photosmart Essential HP Software Update Image Transfer Internal Network Card Power Management J2SE Runtime Environment 5.0 Update 11 Microsoft .NET Framework 2.0 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office PowerPoint Viewer 2003 MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 Parser and SDK O2Micro Smartcard Driver PCTEL 2304WT V.92 MDC Modem Drivers PIXELA ImageMixer QuickSet RealPlayer Security Update for Microsoft .NET Framework 2.0 (KB917283) Security Update for Microsoft .NET Framework 2.0 (KB922770) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB911565) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) Update for Windows XP (KB914882) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB929338) Update for Windows XP (KB931836) Windows Defender Windows Defender Signatures Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 WordPerfect Office 2002 WordPerfect Office 2002 Yahoo! Mail Quick Select Tool (PhotoMail) Yahoo! Messenger

#10 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 06 April 2007 - 08:41 PM

A PROBLEM HAS ARISEN: I intended to submit the file to Virusscan.jotti that you asked me to. But I cannot. This message is given: "Warning: you seem to have javascript disabled. This is necessary for the display of results." It seems that I cannot click on the button to 'submit' the file. This is true for the other site, Virustotal, too. But I think I have the newest version of javascript (11).

Edited by Mike H, 06 April 2007 - 08:43 PM.

    Advertisements

Register to Remove


#11 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 06 April 2007 - 08:46 PM

Have never seen that error.
But lets update it.

You need to update SunJava for security reasons.
Updating Java:
Download the latest version of
Java Runtime Environment (JRE) 6u1
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1... allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Now go ahead and try the uploads to Jotti/ and or virus total.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#12 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 06 April 2007 - 09:50 PM

Hi Bob, No can do. This button to download the Java environment is disabled. I don't know why or how. It seems similar to the problem I'm having with email -can't click on the 'send' button.

Edited by Mike H, 06 April 2007 - 09:51 PM.


#13 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 06 April 2007 - 11:16 PM

OK pass on the upload to jottis for now. Chances are slim that file is any good any way. :thumbdown: Just do the rest and post what else I have asked for. BTW goona be kinda tough fixing all that seems wrong here .

Edited by bob4, 06 April 2007 - 11:17 PM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#14 Mike H

Mike H

    Authentic Member

  • Authentic Member
  • PipPip
  • 52 posts

Posted 07 April 2007 - 01:54 AM

Hi Bob, Now I want to thank you for your help. My first preference would be to clean this up. But right now I can't read email and I have continuing problems with popup commercial explorer webpages. As you've said, I am concerned about compromised security. About this file that you wanted me to check -and that I can't: If we go forward with fixing it, will I be able to get back my email functions and the loss of javascript functionality? Since you want me to skip over this stuff, it seems that might be a long-term problem. And about this program qucaw.dll (it's in the add-ons, too) that we can't check -should I just remove it? I might be willing to reformat my harddrive -but, honestly, I don't know how. I figure I can copy the text files -that's what's most important to me- and some pics. I would make a list of the programs, so that I could remember to re-load from disc/download them. But I simply don't know how to do erase my harddisk and start over properly and really cleanly. Until this happened, I was very happy with the configuration, and I am sure that won't be exactly the same when I'm finished. I thought I'd been taking good care of this computer. I also worry that some of the files I may save -text and pic, etc., could have the very malware or viruses I am trying to get rid of. Isn't this possible? How do I ensure, given how tricky these particular viruses/malware seem to be. And now I just tried to do as you said I should, skipping over the virusscan.jotti check and the Java Runtime Environment update. I went to Kaspersky and tried the online scanner. I clicked on the button, which showed that it was being depressed, but nothing happened. It seems I can't do that either.

Edited by Mike H, 07 April 2007 - 02:02 AM.


#15 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 07 April 2007 - 05:36 AM

As things seem to be getting worse I do suggest you back up everything that's important to you at this point just in case.

About this file that you wanted me to check -and that I can't: If we go forward with fixing it, will I be able to get back my email functions and the loss of javascript functionality?


As long as we delete the bad file with kill box we can get that file back in place if we think we need it.

Can we get everything back the way it was?? possibly! But it's going to be alot of work...

And about this program qucaw.dll (it's in the add-ons, too) that we can't check -should I just remove it?



I need to know the exact location of it so when we remove it we can back it up.


I might be willing to reformat my harddrive -but, honestly, I don't know how. I figure I can copy the text files -that's what's most important to me- and some pics. I would make a list of the programs, so that I could remember to re-load from disc/download them.


Reformatting/erasing your hard disk is a simple procedure although you might be a bit nervous the first time with it.
Do you have a windows XP cd ?

These next 2 options will restore your computer to the day you first turned it on. And possibly have an anti virus program that came with it.
OR
Do you have a restoration CD that came with your computer?
OR
When you click MY COMPUTER do you see more than 1 local disk "Local disk C"?
THe reason I ask this last question is many popular computer manufacturers are now placing there restoration files on a partition of your hard disk.



I thought I'd been taking good care of this computer.


To be honest here I can't believe you made ity this far with out any problems before.



I also worry that some of the files I may save -text and pic, etc., could have the very malware or viruses I am trying to get rid of. Isn't this possible? How do I ensure, given how tricky these particular viruses/malware seem to be.



First we don't place anything back on the computer before you have an active anti virus program running.
Do not back up any .exe files or SCR type files. Backing up pictures and txt files should be safe.

__________________________

Let me knopw what you decide to do. and we will go from there.

Here's a link to read about how to format.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users