Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Heavyjay's Hijackthis Log


  • This topic is locked This topic is locked
9 replies to this topic

#1 heavyjay

heavyjay

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 09 April 2007 - 12:32 PM

I've already gotten rid of a lot of spyware myself, but there's still something lurking out there....

any help is greatly appreciated!
Heavyjay

Logfile of HijackThis v1.99.1
Scan saved at 12:49:08 PM, on 4/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\System32\nfnsdrwc.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\RnJhbms\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINNT\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    Advertisements

Register to Remove


#2 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 09 April 2007 - 04:39 PM

I'm Bob4, I'll be glad to help you with your computer problems.



Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.




It looks like you have been infected by a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files


Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.
If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Should you decide to clean this machine start by doing the following.


________________________________

Rename Hijackthis to vundonot

Let me know if you need help doing this. I believe something is hiding from us.

______________________________
HJT
Run hijackthis( renamed to vundonot) and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked


O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab <http://software-dl.r...p/RdxIE601.cab>



____________________________
Please download the Killbox by Option^Explicit

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINNT\System32\svchosts.exe
C:\WINNT\RnJhbms\command.exe


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



______________________________
Stop and Disable a Service

Go to Start " Run " type: Services.msc " OK.
Scroll down and find this service: COM+ Messages and Command Service
Double-click on it.
Under the General tab, click the Stop button.
Then as start up type click disable.

Do this for both services

______________________________
We need to delete a service
- Start HijackThis...
- Click "Config" button
- Click "Misc Tools" button
- click "Delete an NT Service" button
- Copy and Paste the bold text below in the "Delete an NT Service" window

COM+ Messages clcik OK
and Command Service click OK

close that.




_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.

C:\WINNT\System32\nfnsdrwc.dll


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html



________________________________________
Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.




In your next reply I would like to see:
  • A new HJT log (renamed vundonot)
  • The report from Jottis
  • The report from Vundo

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#3 heavyjay

heavyjay

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 10 April 2007 - 05:10 AM

Hi Bob, thanks for your help! I did everything you said to the letter...

Logfile of HijackThis v1.99.1
Scan saved at 7:07:55 AM, on 4/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\vundonot.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {16E68932-3781-6E0A-A34E-6FE336E1F2E2} - C:\WINNT\System32\loxujct.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {376719F4-5FB2-4B1D-9859-B3864A1648A9} - C:\WINNT\system32\gebabbb.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: msnhlp32.msn_hlp - {CC49785F-80A9-49CC-AB3C-ED3270452188} - C:\WINNT\System32\msnhlp32.dll (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {F09E7CE8-E236-4D49-A7F5-94611C5BF81D} - C:\WINNT\System32\ddawt.dll (file missing)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\System32\nfnsdrwc.dll",setvm
O4 - HKCU\..\Run: [Kernel Fault Safe] C:\WINNT\smss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O20 - Winlogon Notify: gebabbb - gebabbb.dll (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Vundo results


VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 10:19:36 PM 4/9/2007

Listing files found while scanning....

C:\WINNT\System32\cmyhhxow.dll
C:\WINNT\System32\ddawt.dll
C:\WINNT\System32\twadd.bak1
C:\WINNT\System32\twadd.bak2
C:\WINNT\System32\twadd.ini
C:\WINNT\System32\twadd.ini2
C:\WINNT\System32\twadd.tmp

Beginning removal...

Attempting to delete C:\WINNT\System32\ddawt.dll
C:\WINNT\System32\ddawt.dll Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.bak1
C:\WINNT\System32\twadd.bak1 Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.bak2
C:\WINNT\System32\twadd.bak2 Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.ini
C:\WINNT\System32\twadd.ini Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.ini2
C:\WINNT\System32\twadd.ini2 Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.tmp
C:\WINNT\System32\twadd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

I must have already deleted "C:\WINNT\System32\nfnsdrwc.dll" because it showed nothing on virusscan, and when I looked for it, it was gone. The computer is much faster now!

Heavyjay

#4 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 10 April 2007 - 05:54 AM

Looking better but theres still a few things we need to do. :thumbup:

___________________________________

Lucky you! You have a new file we need to uplaod to the maker of the fix.
This will help us and othesr greatly. After you do this we will safely remove this infection.
This will only take a few minutes of your time.

  • Please go to this Site.
  • Fill out the form
  • Where it says Topic where file was requsted paste this link in:

    http://forums.tomcoyote.org/Heavyjay_s_Hijackthis_Log_t78316.html&pid=367304&st=0
  • Where it says browse/files to submit paste this in the spaces provided .


    C:\WINNT\system32\gebabbb.dll
    C:\WINNT\System32\loxujct.dll
    C:\WINNT\System32\ddawt.dll

  • Then click send


_____________________________________________

[*]Double-click VundoFix.exe to run it.
[*]Right Click inside the listbox (white box) and click add more files
[*] Copy&Paste the 3 entries below into the top 3 boxes
  • C:\WINNT\System32\loxujct.dll
  • C:\WINNT\system32\gebabbb.dll
    C:\WINNT\System32\ddawt.dll

[*]Click Add Files and Click Close Window
[*] Click the Remove Vundo button.
[*] You will receive a prompt asking if you want to remove the files, click YES
[*] Once you click yes, your desktop will go blank as it starts removing Vundo.
[*] When completed, it will prompt that it will shutdown your computer, click OK.
[*] Turn your computer back on.
[*] Please post the contents of C:\vundofix.txt and a new HiJackThis log.[/list]


______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked



O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll (file missing)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {16E68932-3781-6E0A-A34E-6FE336E1F2E2} - C:\WINNT\System32\loxujct.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {376719F4-5FB2-4B1D-9859-B3864A1648A9} - C:\WINNT\system32\gebabbb.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: msnhlp32.msn_hlp - {CC49785F-80A9-49CC-AB3C-ED3270452188} - C:\WINNT\System32\msnhlp32.dll (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {F09E7CE8-E236-4D49-A7F5-94611C5BF81D} - C:\WINNT\System32\ddawt.dll (file missing)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\System32\nfnsdrwc.dll",setvm
O4 - HKCU\..\Run: [Kernel Fault Safe] C:\WINNT\smss.exe
O20 - Winlogon Notify: gebabbb - gebabbb.dll (file missing)


______________________
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINNT\System32\nfnsdrwc.dll
C:\WINNT\smss.exe

Now be carefull here. There are legitmate files called smss.exe so don't delete any just because you see them.)

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

_____________________________________
1. Download Combo fix from one of these locations.
http://www.techsuppo...Bs/ComboFix.exe
http://download.blee...Bs/ComboFix.exe

]combofix.exe[/url]
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


In your next reply I would like to see:
  • A new HJT log
  • The report from Vundo
  • The report from Combofix

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#5 heavyjay

heavyjay

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 10 April 2007 - 04:53 PM

Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 6:44:13 PM, on 4/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\vundonot.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Vundo:


VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 10:19:36 PM 4/9/2007

Listing files found while scanning....

C:\WINNT\System32\cmyhhxow.dll
C:\WINNT\System32\ddawt.dll
C:\WINNT\System32\twadd.bak1
C:\WINNT\System32\twadd.bak2
C:\WINNT\System32\twadd.ini
C:\WINNT\System32\twadd.ini2
C:\WINNT\System32\twadd.tmp

Beginning removal...

Attempting to delete C:\WINNT\System32\ddawt.dll
C:\WINNT\System32\ddawt.dll Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.bak1
C:\WINNT\System32\twadd.bak1 Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.bak2
C:\WINNT\System32\twadd.bak2 Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.ini
C:\WINNT\System32\twadd.ini Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.ini2
C:\WINNT\System32\twadd.ini2 Has been deleted!

Attempting to delete C:\WINNT\System32\twadd.tmp
C:\WINNT\System32\twadd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

Combofix:

ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Jason\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\uninstall_nmon.vbs
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINNT\RnJhbms\lBL1vAP.vbs
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\WINNT\RnJhbms
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Jason
C:\qoobox\purity\DOCUME~1\Jason\MYDOCU~1
C:\qoobox\purity\DOCUME~1\Jason\MYDOCU~1\ECURIT~1
C:\qoobox\purity\DOCUME~1\Jason\MYDOCU~1\from.txt


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\cmdService
-------\COM+ Messages
-------\Network Monitor
-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_MCHINJDRV
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-03-10 to 2007-04-10 ))))))))))))))))))))))))))))))))))


2007-04-09 22:19 <DIR> d-------- C:\VundoFix Backups
2007-04-09 21:57 <DIR> d-------- C:\!KillBox
2007-04-08 15:42 <DIR> d-------- C:\WINNT\system32\carp**
2007-04-08 10:28 280,676 ---hs---- C:\WINNT\system32\mljgh.dll
2007-04-02 18:17 <DIR> d-------- C:\WINNT\pss
2007-03-10 01:05 <DIR> dr-h----- C:\DOCUME~1\Jason\APPLIC~1\yahoo!


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-09 23:37 -------- d-------- C:\Program Files\yahoo!
2007-03-05 19:42 -------- d--h----- C:\Program Files\installshield installation information


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINNT\\System32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"BellSouthWCC_McciTrayApp"="C:\\Program Files\\BellSouthWCC\\McciTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Willow Road Screen Saver.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Willow Road Screen Saver.lnk"
"backup"="C:\\WINNT\\pss\\Willow Road Screen Saver.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WillowRD\\WillowRd.exe "
"item"="Willow Road Screen Saver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="carpserv"
"hkey"="HKLM"
"command"="carpserv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINNT\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINNT\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ipwins"
"hkey"="HKCU"
"command"="C:\\Program Files\\Ipwindows\\ipwins.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="alg"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\YSTEM3~1\\alg.exe\" -vt yazb"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navapw32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Okn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="n?tepad"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\T?sks\\n?tepad.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realplay"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tgcmd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uikq]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uikqm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\uikq\\uikqm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uvnx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uvcx"
"hkey"="HKLM"
"command"="c:\\winnt\\system32\\uvcx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{04DCB78C-AB45-83AD-A86A-6DFB90277939}"=""
"{376719F4-5FB2-4B1D-9859-B3864A1648A9}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job
C:\WINNT\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-10 18:38:50
C:\ComboFix-quarantined-files.txt ... 07-04-10 18:38

I tried uploading the files to uploadmalware.com, but all of them were already deleted. I know I deleted the gebabbb.dll personally before your 1st reply. That thing was a bear to remove. I think it was the main culprit. thanks again :)

Heavyjay

#6 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 10 April 2007 - 05:39 PM

Well were still finding things. Maybe left overs from things you had removed on your own..
Going to ask for another scan to be sure.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\mljgh.dll
    C:\PROGRA~1\YSTEM3~1
    c:\winnt\system32\uvcx.exe
    C:\PROGRA~1\COMMON~1\uikq
    C:\Program Files\Common Files\T?sks\n?tepad.exe




  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
  • Close OTMoveIt
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")






_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer

This scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.



Please read about this file at the link below and you decide.
C:\\Program Files\\support.com\\bin\\tgcmd.exe

http://www.winpatrol...mple/tgcmd.html


In your next reply I would like to see:
  • A new HJT log
  • The report from OTMOVEIT
  • The report from Kasperskys

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#7 heavyjay

heavyjay

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 April 2007 - 04:32 AM

Thanks again, Bob!
jay

otmoveit:

DllUnregisterServer procedure not found in C:\WINNT\system32\mljgh.dll
C:\WINNT\system32\mljgh.dll NOT unregistered.
C:\WINNT\system32\mljgh.dll moved successfully.
File/Folder C:\PROGRA~1\YSTEM3~1 not found.
File/Folder c:\winnt\system32\uvcx.exe not found.
File/Folder C:\PROGRA~1\COMMON~1\uikq not found.
File/Folder C:\Program Files\Common Files\T?sks\n?tepad.exe not found.

Created on 04/10/2007 21:28:57

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 6:31:16 AM, on 4/11/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\hijackthis\vundonot.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe



kasperskys

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 11, 2007 6:28:22 AM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/04/2007
Kaspersky Anti-Virus database records: 294570
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 35929
Number of viruses found: 29
Number of infected objects: 84 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:29:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Documents\My Music\My Music\My Shared Folder\Grokster Installer.exe/WISE0029.BIN Infected: not-a-virus:AdWare.Win32.Altnet.c skipped
C:\Documents and Settings\All Users\Documents\My Music\My Music\My Shared Folder\Grokster Installer.exe/WISE0033.BIN/WISE0005.BIN Infected: not-a-virus:AdWare.Win32.Altnet.c skipped
C:\Documents and Settings\All Users\Documents\My Music\My Music\My Shared Folder\Grokster Installer.exe/WISE0033.BIN Infected: not-a-virus:AdWare.Win32.Altnet.c skipped
C:\Documents and Settings\All Users\Documents\My Music\My Music\My Shared Folder\Grokster Installer.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Jason\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\History\History.IE5\MSHist012007041020070411\index.dat Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Temp\Perflib_Perfdata_538.dat Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Temp\~DFF68E.tmp Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jason\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jason\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Louise\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Louise\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Louise\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\hijackthis\backups\backup-20070409-145517-880.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped
C:\RECYCLER\S-1-5-21-2437969446-2966927733-1597234714-1005\Dc14.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\RECYCLER\S-1-5-21-2437969446-2966927733-1597234714-1005\Dc16.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\RECYCLER\S-1-5-21-2437969446-2966927733-1597234714-1005\Dc24.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\RECYCLER\S-1-5-21-2437969446-2966927733-1597234714-1005\Dc31.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped
C:\RECYCLER\S-1-5-21-2437969446-2966927733-1597234714-1005\Dc5\netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\RECYCLER\S-1-5-21-2437969446-2966927733-1597234714-1005\Dc9.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\RECYCLER\S-1-5-21-2437969446-2966927733-1597234714-500\Dc1.exe Infected: Trojan-Downloader.Win32.Tiny.fy skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP599\A0042714.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP599\A0042715.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP599\A0042719.exe Infected: Trojan-Downloader.Win32.PurityScan.dy skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP599\A0043682.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP599\A0043683.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP599\A0043684.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP599\A0043705.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP606\A0043850.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP606\A0043852.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP606\A0043853.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\A0043860.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\A0043861.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\A0043861.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\A0043861.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\A0043862.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\A0043864.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\A0043872.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\A0043878.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP607\snapshot\MFEX-2.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP608\A0043885.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP608\A0043885.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP608\A0043887.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP608\A0043893.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP619\A0043987.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP619\A0043988.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP619\A0043988.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP619\A0043988.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP619\A0044001.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP619\A0044002.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP619\A0044004.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP619\A0044005.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP620\snapshot\MFEX-4.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP620\snapshot\MFEX-9.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP621\snapshot\MFEX-4.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP621\snapshot\MFEX-9.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP622\snapshot\MFEX-4.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP622\snapshot\MFEX-9.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP623\A0044170.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP623\A0044171.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP623\A0044173.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP623\snapshot\MFEX-4.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP623\snapshot\MFEX-9.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0045214.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0045215.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0045222.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0045226.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0045226.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0045226.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0045228.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047260.exe Infected: not-virus:Hoax.Win32.Renos.dk skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047263.exe Infected: Trojan-Dropper.Win32.Delf.ev skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047270.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047271.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047273.exe Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047285.exe Infected: not-virus:Hoax.Win32.Renos.dk skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047304.exe Infected: Trojan-Dropper.Win32.Delf.ev skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047305.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047306.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047308.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047310.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047310.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047310.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047313.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047314.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047316.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047317.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP628\A0047318.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP629\A0048491.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP629\A0048492.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP629\A0048493.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP629\A0048504.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.ab skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP630\change.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

Scan process completed.

#8 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 11 April 2007 - 05:35 AM

Navigate to c:/!killbox and delete everything in there now.

Navigate to c:/OTMOVEIT and delete everything in there now.

Navigate to C:\Documents and Settings\All Users\Documents\My Music\My Music\My Shared Folder\

and delete just this file.
Grokster Installer.exe



Great news ! Posted Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!


___________________________________
If we have set your computer to see all files and folders we must reprotect them.

UNDO SHOW ALL FILES
click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Deselect in the checkbox labeled Display the contents of system folders.
Deselect the checkbox labeled Show hidden files and folders.
Select the checkmark from the checkbox labeled Hide file extensions for known file types.
Replace the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK .
Now many important files are safe.


___________________________________
Download and install CCleaner from here.
If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.


Now open the program and click on Run Cleaner
( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).

You may opt out of cleaning cookies. If you clean them alls you will have to do is retype names and passwords for places you visit on the net 1 time.
If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla
I clean all my cookies out from time to time. It's not that big a deal if you remember passwords.


___________________________________
Please create a 'clean' System Restore Point:
The reason for doing this is in case you need system restore you don't put back all we just took out.
Right click My Computer
Then Propeties then system restore
Place a check mark by turn off system restore
Click APPLY
Windows will give you a warning click yes
REBOOT

Now go right back to the same place and unchecksystem restore
Click APPLYand OK





___________________________________
A few things to help with possible threats
SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust...tsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware


___________________________________
Download and keep these updated and run weekly if you don't already have them.

Adaware
Tutorial

spybot seach & destroy
Tutorial




___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.

___________________________________
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.
The infections you had was Vundo/Purity Scan /

Safe and Happy Surfing. :)
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#9 heavyjay

heavyjay

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 April 2007 - 07:46 PM

It's running a thousand times better. Thanks, Bob! Jay

#10 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 14 April 2007 - 04:17 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a valid link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users