Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91980 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HJT Log Browser redirects


  • This topic is locked This topic is locked
25 replies to this topic

#1 kelbel

kelbel

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 16 March 2007 - 08:48 AM

Hi, MY IE is starting up extremely slow and any secondary window opened up subsequently starts up just as slow,and then redirect sites start to open up every couple of minutes. I'm posting this log from my lap top because it is too frustrating to do so from my desktop. The desktop is also running SP1 and I know it needs to be updated but I should fix this problem first, no? Anyway,here is the log. Thanks. Logfile of HijackThis v1.99.1 Scan saved at 6:20:38 PM, on 3/15/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\Explorer.EXE F:\WINDOWS\system32\spoolsv.exe F:\WINDOWS\System32\NILaunch.exe F:\WINDOWS\System32\svchost.exe F:\QUICKENW\QWDLLS.EXE F:\WINDOWS\System32\wuauclt.exe F:\Program Files\Internet Explorer\IEXPLORE.EXE I:\Program Files\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - F:\WINDOWS\System32\tmp5.tmp.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Lexmark_X79-55] F:\WINDOWS\System32\lsasss.exe O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "F:\WINDOWS\tutrss.dll",setvm O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.musicmatch.com O15 - Trusted Zone: *.musicmatch.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201 O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    Advertisements

Register to Remove


#2 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 17 March 2007 - 05:30 AM

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

#3 kelbel

kelbel

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 17 March 2007 - 10:56 AM

Thanks for the help here are the Vundo txt and hijackthis logs: VundoFix V6.3.16 Checking Java version... Java version is 1.4.2.5 Old versions of java are exploitable and should be removed. Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Scan started at 11:02:35 AM 3/17/2007 Listing files found while scanning.... F:\WINDOWS\System32\tmp8.tmp.dll Beginning removal... Attempting to delete F:\WINDOWS\System32\tmp8.tmp.dll F:\WINDOWS\System32\tmp8.tmp.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete F:\WINDOWS\System32\tmp8.tmp.dll F:\WINDOWS\System32\tmp8.tmp.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.16 Checking Java version... Java version is 1.4.2.5 Old versions of java are exploitable and should be removed. Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Scan started at 11:39:57 AM 3/17/2007 Listing files found while scanning.... No infected files were found. Logfile of HijackThis v1.99.1 Scan saved at 11:38:44 AM, on 3/17/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\system32\spoolsv.exe F:\WINDOWS\Explorer.EXE F:\WINDOWS\System32\svchost.exe F:\WINDOWS\System32\NILaunch.exe F:\QUICKENW\QWDLLS.EXE F:\WINDOWS\System32\wuauclt.exe I:\Program Files\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Lexmark_X79-55] F:\WINDOWS\System32\lsasss.exe O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "F:\WINDOWS\geeedd.dll",setvm O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.musicmatch.com O15 - Trusted Zone: *.musicmatch.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201 O20 - AppInit_DLLs: O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#4 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 17 March 2007 - 11:19 AM

You have no antivirus installed, please install one of the following free products:

AVG
Avast

Please download FindAWF here:
http://noahdfear.gee...com/FindAWF.exe
Save to desktop and run
The output is awf.txt, save the text file to your desktop.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with the contents of awf.txt and a new HijackThis log


#5 kelbel

kelbel

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 17 March 2007 - 01:47 PM

Ok here are the requested logs. Also I could only get sdfix to run in safe mode under my admin account. SDFix: Version 1.73 Run by Administrator - Sat 03/17/2007 - 14:29:45.59 Microsoft Windows XP [Version 5.1.2600] Running From: F:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: F:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll - Deleted F:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll - Deleted F:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll - Deleted F:\WINDOWS\Temp\$_2341233.TMP - Deleted F:\WINDOWS\Temp\$_2341235.TMP - Deleted ADS Check: F:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Remaining Files: --------------- Backups Folder: - F:\SDFix\backups\backups.zip Checking For Files with Hidden Attributes : F:\Documents and Settings\Kelly\NetHood\states on altfuels.centerpointenergy.com\Desktop.ini F:\Documents and Settings\Kelly\NetHood\members.aol.com\Desktop.ini F:\WINDOWS\Temp\$_3472452.EXE F:\Documents and Settings\Kelly\Local Settings\Temp\$b17a2e8.tmp F:\Documents and Settings\Kelly\My Documents\~WRL2225.tmp F:\Documents and Settings\Kelly\My Documents\~WRL3845.tmp F:\Program Files\InterActual\InterActual Player\iti31.tmp Finished Find AWF report by noahdfear 2006 bak folders found ~~~~~~~~~~~ Directory of F:\WINDOWS\SYSTEM32\BAK 03/07/2007 08:07 AM 37,807 lsasss.exe 02/05/1998 03:16 PM 24,576 NILaunch.exe 2 File(s) 62,383 bytes Directory of F:\PROGRA~1\QUICKT~1\BAK 09/18/2004 07:50 AM 98,304 qttask.exe 1 File(s) 98,304 bytes Directory of F:\PROGRA~1\MSNMES~1\BAK 0 File(s) 0 bytes Directory of F:\PROGRA~1\MUSICM~1\MUSICM~1\BAK 10/08/2004 08:49 AM 131,072 mm_tray.exe 10/08/2004 08:49 AM 53,248 mmtask.exe 2 File(s) 184,320 bytes Directory of F:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 01/02/2005 11:11 AM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of F:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK 01/24/2007 07:15 PM 171,448 GoogleToolbarNotifier.exe 1 File(s) 171,448 bytes Directory of F:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK 06/03/2005 03:52 AM 36,975 jusched.exe 1 File(s) 36,975 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 37215 Mar 15 2007 "F:\WINDOWS\system32\NILaunch.exe" 24576 Feb 5 1998 "F:\WINDOWS\system32\bak\NILaunch.exe" 37215 Mar 15 2007 "F:\WINDOWS\system32\lsasss.exe" 37807 Mar 7 2007 "F:\WINDOWS\system32\bak\lsasss.exe" 37215 Mar 15 2007 "F:\Program Files\QuickTime\qttask.exe" 98304 Sep 18 2004 "F:\Program Files\QuickTime\bak\qttask.exe" 37215 Mar 15 2007 "F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" 131072 Oct 8 2004 "F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe" 135168 Aug 28 2005 "F:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe" 37215 Mar 15 2007 "F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" 53248 Oct 8 2004 "F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe" 53248 Aug 28 2005 "F:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe" 37215 Mar 15 2007 "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" 180269 Jan 2 2005 "F:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 52272 Jan 24 2007 "F:\Program Files\Google\googletoolbar3user.exe" 37215 Mar 15 2007 "F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" 138168 Jan 24 2007 "F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" 171448 Jan 24 2007 "F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe" 37215 Mar 15 2007 "F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" 36975 Jun 3 2005 "F:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe" end of report Logfile of HijackThis v1.99.1 Scan saved at 2:44:37 PM, on 3/17/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\system32\spoolsv.exe F:\WINDOWS\Explorer.EXE F:\WINDOWS\System32\svchost.exe F:\WINDOWS\System32\wuauclt.exe F:\WINDOWS\system32\notepad.exe F:\WINDOWS\System32\wuauclt.exe F:\WINDOWS\System32\NILaunch.exe F:\QUICKENW\QWDLLS.EXE F:\Program Files\Internet Explorer\IEXPLORE.EXE F:\WINDOWS\system32\NOTEPAD.EXE I:\Program Files\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Lexmark_X79-55] F:\WINDOWS\System32\lsasss.exe O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "F:\WINDOWS\geeedd.dll",setvm O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.musicmatch.com O15 - Trusted Zone: *.musicmatch.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201 O20 - AppInit_DLLs: O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#6 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 17 March 2007 - 02:33 PM

Our experts would like some samples of the files you are infected with

Please download the Suspicious File Packer from here:
http://www.safer-net...g/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

F:\WINDOWS\system32\bak\lsasss.exe


Allow SFP to pack the files. This will generate a CAB archive on your desktop.

Please click here

You will be taken to a new post page (at a different forum)
In the subject box put Suspicious files for analysis

Please put your name and email in the relevant boxes. In the message portion, please paste this:
Infected Files for analysis
Suspect: SDbot
logfile: http://forums.tomcoyote.org/index.php?showtopic=77595

Then, by the attach bar at the bottom, hit 'browse' Find this file, and hit ok:
C:\Documents and Settings\User\Desktop\requested-files[date].cab

Then click submit to upload that file. That way our experts can analyse the file

Please post a link to the topic at the other forum as a response to this topic


Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

attrib -s -h -r F:\WINDOWS\system32\NILaunch.exe
attrib -s -h -r F:\WINDOWS\system32\lsasss.exe
attrib -s -h -r F:\Program Files\QuickTime\qttask.exe
attrib -s -h -r F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
attrib -s -h -r F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
attrib -s -h -r F:\Program Files\Common Files\Real\Update_OB\realsched.exe
attrib -s -h -r F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
attrib -s -h -r F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
attrib -s -h -r F:\WINDOWS\system32\bak\lsasss.exe
del /q F:\WINDOWS\system32\NILaunch.exe
del /q F:\WINDOWS\system32\lsasss.exe
del /q F:\WINDOWS\system32\bak\lsasss.exe
del /q F:\Program Files\QuickTime\qttask.exe
del /q F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
del /q F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
del /q F:\Program Files\Common Files\Real\Update_OB\realsched.exe
del /q F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
del /q F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
copy F:\WINDOWS\system32\bak\NILaunch.exe F:\WINDOWS\system32\NILaunch.exe
copy F:\Program Files\QuickTime\bak\qttask.exe F:\Program Files\QuickTime\qttask.exe
copy F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
copy F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
copy F:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe F:\Program Files\Common Files\Real\Update_OB\realsched.exe
copy F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
copy F:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe


Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Locate cleanup.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] F:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "F:\WINDOWS\geeedd.dll",setvm
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll

Then close all windows except HijackThis and click Fix Checked

Use windows explorer to find and delete these files:

F:\WINDOWS\System32\lsasss.exe
F:\WINDOWS\geeedd.dll[/b]
F:\WINDOWS\SYSTEM32\pxinnit.dll

Restart in normal mode and post a new HijackThis log

#7 kelbel

kelbel

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 17 March 2007 - 03:50 PM

http://www.thespykil...hp?topic=3806.0

#8 kelbel

kelbel

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 17 March 2007 - 04:44 PM

Logfile of HijackThis v1.99.1 Scan saved at 5:33:16 PM, on 3/17/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\Explorer.EXE F:\WINDOWS\system32\spoolsv.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\System32\NILaunch.exe F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe F:\QUICKENW\QWDLLS.EXE F:\WINDOWS\System32\wuauclt.exe F:\WINDOWS\System32\wuauclt.exe I:\Program Files\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.musicmatch.com O15 - Trusted Zone: *.musicmatch.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201 O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#9 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 17 March 2007 - 05:05 PM

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entry below into the top box
    • F:\WINDOWS\SYSTEM32\pxinnit.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Post back with the vundofix log and a new HijackThis log

#10 kelbel

kelbel

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 17 March 2007 - 05:50 PM

Logfile of HijackThis v1.99.1 Scan saved at 6:45:12 PM, on 3/17/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\Explorer.EXE F:\WINDOWS\system32\spoolsv.exe I:\Program Files\AVG Anti-Spyware 7.5\guard.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\System32\NILaunch.exe F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe F:\QUICKENW\QWDLLS.EXE F:\WINDOWS\System32\wuauclt.exe F:\WINDOWS\System32\wuauclt.exe F:\Program Files\Internet Explorer\IEXPLORE.EXE I:\Program Files\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.musicmatch.com O15 - Trusted Zone: *.musicmatch.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201 O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe VundoFix V6.3.16 Checking Java version... Java version is 1.4.2.5 Old versions of java are exploitable and should be removed. Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Scan started at 11:02:35 AM 3/17/2007 Listing files found while scanning.... F:\WINDOWS\System32\tmp8.tmp.dll Beginning removal... Attempting to delete F:\WINDOWS\System32\tmp8.tmp.dll F:\WINDOWS\System32\tmp8.tmp.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete F:\WINDOWS\System32\tmp8.tmp.dll F:\WINDOWS\System32\tmp8.tmp.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.16 Checking Java version... Java version is 1.4.2.5 Old versions of java are exploitable and should be removed. Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Scan started at 11:39:57 AM 3/17/2007 Listing files found while scanning.... No infected files were found. VundoFix V6.3.16 Checking Java version... Java version is 1.4.2.5 Old versions of java are exploitable and should be removed. Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Scan started at 6:29:05 PM 3/17/2007 Listing files found while scanning.... No infected files were found. Beginning removal... Attempting to delete F:\WINDOWS\SYSTEM32\pxinnit.dll F:\WINDOWS\SYSTEM32\pxinnit.dll Has been deleted! Performing Repairs to the registry. Done!

    Advertisements

Register to Remove


#11 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 18 March 2007 - 05:56 AM

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll (file missing)

Then close all windows except HijackThis and click Fix Checked

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky log, a new HijackThis log and let me know how its running now

#12 kelbel

kelbel

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 18 March 2007 - 12:20 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 18, 2007 1:10:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/03/2007
Kaspersky Anti-Virus database records: 282839
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 29243
Number of viruses found: 6
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:24:25

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0131795.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
D:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
E:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SYSTEM Object is locked skipped
F:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
F:\WINDOWS\system32\config\DEFAULT Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\moaupd.exe/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.h skipped
F:\WINDOWS\system32\moaupd.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.b skipped
F:\WINDOWS\system32\moaupd.exe WiseSFX: infected - 2 skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\Debug\oakley.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\SoftwareDistribution\EventCache\{855C3863-E10B-4A59-8CE2-276342743C7A}.bin Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Kelly\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Temp\tmp2.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
F:\Documents and Settings\Kelly\Local Settings\Temp\tmp6.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
F:\Documents and Settings\Kelly\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\History\History.IE5\MSHist012007031820070319\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Kelly\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\ntuser.dat.LOG Object is locked skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0129739.dll Infected: Trojan-PSW.Win32.Sinowal.af skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0129745.dll Infected: Trojan-PSW.Win32.Sinowal.af skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
I:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\A0131931.exe/data0001 Infected: Trojan-Downloader.Win32.Agent.oz skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\A0131931.exe NSIS: infected - 1 skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 1:16:22 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Microsoft Office\Office10\EXCEL.EXE
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\WINDOWS\system32\NOTEPAD.EXE
I:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#13 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 18 March 2007 - 01:22 PM

Use windows explorer to find and delete this file:

F:\WINDOWS\system32\moaupd.exe

Download ATF Cleaner by Attribune
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Main at the top and choose Select All from the list.
  • Click the Empty Selected button.
If you use Firefox browser:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:

http://www.adobe.com.../readstep2.html

Post back with a new HijackThis log and let me know how its running now

#14 kelbel

kelbel

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 18 March 2007 - 03:42 PM

Hi,

No more re-directs but IE still initializes real slow and hyperlinks to secondary windows are slow as well. Once things initialize they run at normal speed it's just getting there that is taking time.

Logfile of HijackThis v1.99.1
Scan saved at 4:36:22 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\WINDOWS\System32\msiexec.exe
I:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#15 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 18 March 2007 - 03:53 PM

  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic
  • Download WinPFind by OldTimer here
  • Double click on winpfind.exe to extract it
  • Click extract
  • Wait for the message "All files have been extracted" and then click OK
  • This will create the folder winPFind on your desktop
  • Inside that folder is a file called WinPFind.exe
  • Double click on that file to launch WinPFind
  • This will launch a configuration screen
    • Under Driver Services change the selection to Non-Microsoft
    • Under File Created Within change the selection to 60 days
    • Leave the other settings as they are
  • Click Run Scan
  • During the scan WinPFind may appear to be not responding, this is normal
  • Wait for the scan to finish, this may take several minutes
  • A notepad window will open with WinPFind's log.
  • Copy and paste the contents of that window here.
  • Note: You may need several posts to post the entire log, or it might get cut off
Post back with the GMER logs, the WinPfind log and a new HijackThis log
You will probably need to several posts to fit all the logs in

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users