Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Virus Heat help

Started by eggmeister , Apr 14 2008 05:39 AM

  • This topic is locked This topic is locked
18 replies to this topic

#1 eggmeister

eggmeister

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 14 April 2008 - 05:39 AM

This infection called Virus heat installed itself and messages and pop would appear telling me that my private information was not safe and i should download this. I have ran spybot and atf cleaner and the main problem seems to be gone. Just like to know if theres anything else i need to get rid of. Here is my Hijack this log.



Logfile of HijackThis v1.99.1
Scan saved at 7:36:46 PM, on 14/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\New Browse.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll



Any help would be greatly appreciated

    Advertisements

Register to Remove

#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 14 April 2008 - 08:43 AM

Hi

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#3 eggmeister

eggmeister

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 15 April 2008 - 02:24 AM

heres my combo fix log

ComboFix 08-04-14.2 - Egg 2008-04-15 16:09:42.3 - NTFSx86

Running from: C:\Documents and Settings\Egg\desktop\combofix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 16:29 . 2008-04-14 16:32 346 --a------ C:\WINDOWS\wininit.ini
2008-04-11 18:51 . 2008-04-14 12:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-11 18:49 . 2008-04-15 12:28 <DIR> d-------- C:\WINDOWS\system32\215651
2008-04-03 11:59 . 2008-04-03 11:59 <DIR> d-------- C:\Documents and Settings\Egg\Logs
2008-03-31 20:03 . 2008-03-31 20:03 <DIR> d-------- C:\WINDOWS\Sun
2008-03-31 19:05 . 2008-04-14 19:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-31 19:05 . 2008-03-31 19:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-27 05:36 . 2008-03-27 05:38 <DIR> d-------- C:\Documents and Settings\Egg\.uicentral4
2008-03-26 04:59 . 2008-03-26 04:59 <DIR> d-------- C:\Logs
2008-03-25 22:20 . 2007-07-30 18:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-25 22:20 . 2007-07-30 18:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-25 22:20 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-25 07:41 . 2008-03-25 07:41 <DIR> d-------- C:\Program Files\Windows Live
2008-03-25 07:41 . 2008-03-25 07:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 11:23 --------- d-----w C:\Program Files\Google
2008-04-14 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 04:26 --------- d-----w C:\Program Files\LimeWire
2008-04-11 10:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-11 07:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-01 21:51 --------- d-----w C:\Program Files\World of Warcraft
2008-03-20 07:46 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-10 01:03 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-03-10 00:33 --------- d-----w C:\Documents and Settings\Egg\Application Data\teamspeak2
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-09-21 08:05 13,195 ----a-w C:\Documents and Settings\Egg\zguicfgw.dat
2007-08-16 02:22 68,560 ----a-w C:\Documents and Settings\Stacey\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_12.29.44.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 11:28:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-15 08:11:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= "C:\Program Files\NetProject\wamdl.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 17:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [ ]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\New Browse.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 22:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bind cast]
C:\DOCUME~1\Stacey\APPLIC~1\SECTSE~1\FIRST ABOUT WAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-04 00:50 1603152 C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-04-04 00:00 644696 C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-10-27 14:21 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-08 00:55 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
-ra------ 2006-08-14 10:51 352256 C:\WINDOWS\system32\JMRaidTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2006-06-01 17:22 7618560 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 14:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
-ra------ 2006-07-11 02:33 176128 C:\WINDOWS\system32\S3Trayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SP2 Connection Patcher]
C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 12:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2006-08-03 14:53 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"CiSvc"=3 (0x3)
"BITS"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 11:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11:39]
S3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-09-12 10:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\BigPondADSL.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 09:29:13 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 16:11:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-15 16:14:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 08:14:38
ComboFix2.txt 2008-04-15 04:29:55
ComboFix3.txt 2007-09-08 01:16:17

Pre-Run: 113,244,438,528 bytes free
Post-Run: 113,235,197,952 bytes free
.
2008-04-09 19:02:25 --- E O F ---



heres the hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 16:22, on 2008-04-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - (no file)
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\New Browse.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 15 April 2008 - 03:09 AM

I just want to check something.

Please download SmitfraudFix (by S!ri).

  • Double-click Smitfraudfix.exe (For Vista, right-click on SmitfraudFix.exe and click Run as administrator). A screen will pop up. Select Option 1 (Search) by typing 1 and hit Enter. A text file will appear, which will list the infected files. Save it to a convenient location.
  • The log will also be saved here: C:\rapport.txt

Note: process.exe is detected by some Anti-Virus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#5 eggmeister

eggmeister

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 15 April 2008 - 05:37 AM

this is the log SmitFraudFix v2.314 Scan done at 19:34:08.28, Tue 15/04/2008 Run from C:\Documents and Settings\Egg\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\215651\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Egg »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Egg\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Egg\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\NetProject\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{65bbf06c-ea06-4818-92a3-f3550d0e1004}"="asparagine" [HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32] @="C:\WINDOWS\system32\rkvdr.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32] @="C:\WINDOWS\system32\rkvdr.dll" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="wbsys.dll" "LoadAppInit_DLLs"=dword:00000001 »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 15 April 2008 - 06:07 AM

Hi

Run Smitfraudfix
Open the SmitfraudFix folder again and double-click the Smitfraudfix icon (Windows NT Command Script)
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Then double-click Combofix and run it again, post the new log it creates.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#7 eggmeister

eggmeister

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 17 April 2008 - 02:46 AM

heres the log


ComboFix 08-04-14.2 - Egg 2008-04-15 12:27:23.2 - NTFSx86

Running from: C:\Documents and Settings\Egg\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Starware406
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\1270_button_1b_def.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\1271_button_1b_def.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\1271_button_1b_over.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\WeatherHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware406\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware406\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware406\contexts\travel.xml
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
C:\Documents and Settings\Egg\Application Data\Adssite Advanced Toolbar
C:\Documents and Settings\Egg\Application Data\Adssite Advanced Toolbar\advertbuttons.xml
C:\Documents and Settings\Egg\Application Data\Adssite Advanced Toolbar\selected.xml
C:\Program Files\Adssite Advanced Toolbar
C:\Program Files\NetProject
C:\Program Files\NetProject\waun.exe
C:\Program Files\Starware406
C:\Program Files\Starware406\Setup_exe.vir
C:\WINDOWS\system32\215651\215651.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 16:29 . 2008-04-14 16:32 346 --a------ C:\WINDOWS\wininit.ini
2008-04-11 18:51 . 2008-04-14 12:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-11 18:49 . 2008-04-15 12:28 <DIR> d-------- C:\WINDOWS\system32\215651
2008-04-03 11:59 . 2008-04-03 11:59 <DIR> d-------- C:\Documents and Settings\Egg\Logs
2008-03-31 20:03 . 2008-03-31 20:03 <DIR> d-------- C:\WINDOWS\Sun
2008-03-31 19:05 . 2008-04-14 19:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-31 19:05 . 2008-03-31 19:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-27 05:36 . 2008-03-27 05:38 <DIR> d-------- C:\Documents and Settings\Egg\.uicentral4
2008-03-26 04:59 . 2008-03-26 04:59 <DIR> d-------- C:\Logs
2008-03-25 22:20 . 2007-07-30 18:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-25 22:20 . 2007-07-30 18:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-25 22:20 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-25 07:41 . 2008-03-25 07:41 <DIR> d-------- C:\Program Files\Windows Live
2008-03-25 07:41 . 2008-03-25 07:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 11:23 --------- d-----w C:\Program Files\Google
2008-04-14 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 04:26 --------- d-----w C:\Program Files\LimeWire
2008-04-11 10:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-11 07:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-01 21:51 --------- d-----w C:\Program Files\World of Warcraft
2008-03-20 07:46 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-10 01:03 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-03-10 00:33 --------- d-----w C:\Documents and Settings\Egg\Application Data\teamspeak2
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-09-21 08:05 13,195 ----a-w C:\Documents and Settings\Egg\zguicfgw.dat
2007-08-16 02:22 68,560 ----a-w C:\Documents and Settings\Stacey\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= "C:\Program Files\NetProject\wamdl.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 17:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [ ]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\New Browse.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 22:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bind cast]
C:\DOCUME~1\Stacey\APPLIC~1\SECTSE~1\FIRST ABOUT WAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-04 00:50 1603152 C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-04-04 00:00 644696 C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-10-27 14:21 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-08 00:55 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
-ra------ 2006-08-14 10:51 352256 C:\WINDOWS\system32\JMRaidTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2006-06-01 17:22 7618560 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 14:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
-ra------ 2006-07-11 02:33 176128 C:\WINDOWS\system32\S3Trayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SP2 Connection Patcher]
C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 12:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2006-08-03 14:53 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"CiSvc"=3 (0x3)
"BITS"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\BigPondADSL.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 09:29:13 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 12:28:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-15 12:29:54
ComboFix-quarantined-files.txt 2008-04-15 04:29:52
ComboFix2.txt 2007-09-08 01:16:17

Pre-Run: 113,185,529,856 bytes free
Post-Run: 113,199,779,840 bytes free
.
2008-04-09 19:02:25 --- E O F ---

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 17 April 2008 - 02:58 AM

Could I see the Smitfraud report after running Option 2?
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#9 eggmeister

eggmeister

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 17 April 2008 - 04:46 AM

sorry my bad posted wrong log will run again

Edited by eggmeister, 17 April 2008 - 04:51 AM.

#10 eggmeister

eggmeister

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 17 April 2008 - 05:29 AM

ok heres the log SmitFraudFix v2.314 Scan done at 19:25:11.65, Thu 17/04/2008 Run from C:\Documents and Settings\Egg\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{65bbf06c-ea06-4818-92a3-f3550d0e1004}"="asparagine" [HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32] @="C:\WINDOWS\system32\rkvdr.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32] @="C:\WINDOWS\system32\rkvdr.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{65bbf06c-ea06-4818-92a3-f3550d0e1004}"="asparagine" [HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32] @="C:\WINDOWS\system32\rkvdr.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32] @="C:\WINDOWS\system32\rkvdr.dll" »»»»»»»»»»»»»»»»»»»»»»»» End

    Advertisements

Register to Remove

#11 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 17 April 2008 - 08:40 AM

Hi

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C 

KillAll::

File::
C:\WINDOWS\system32\rkvdr.dll

Folder::
C:\DOCUME~1\Stacey\APPLIC~1\SECTSE~1
C:\Documents and Settings\Egg\Desktop\SmitfraudFix
 
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"=-
[-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Amok Eggs Four Web"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bind cast]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{65bbf06c-ea06-4818-92a3-f3550d0e1004}"=-
[-HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}]
[-[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.

In your next reply post:
ComboFix.txt
MBAM log
New HijackThis log taken after the above scan has run
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#12 eggmeister

eggmeister

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 18 April 2008 - 06:49 AM

heres the combofix log

ComboFix 08-04-17.1 - Egg 2008-04-18 16:49:46.2 - NTFSx86

Running from: C:\Documents and Settings\Egg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Egg\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\rkvdr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Starware406
C:\Documents and Settings\Egg\Application Data\Adssite Advanced Toolbar
C:\Documents and Settings\Egg\Desktop\SmitfraudFix
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\dumphive.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\exit.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\GenericRenosFix.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\HostsChk.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\IEDFix.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\Process.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\Reboot.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\restart.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\SmitfraudFix.cmd
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\SmiUpdate.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\SrchSTS.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\swreg.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\swsc.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\swxcacls.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\UIFix.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\unzip.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\VACFix.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\VCCLSID.exe
C:\Documents and Settings\Egg\Desktop\SmitfraudFix\WS2Fix.exe
C:\Program Files\Adssite Advanced Toolbar
C:\Program Files\Starware406

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-17 17:56 . 2008-04-17 17:56 12,684 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-04-15 19:33 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-15 19:33 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-15 19:33 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-15 18:59 . 2008-04-15 18:59 <DIR> d-------- C:\swsetup
2008-04-15 18:59 . 2008-04-15 18:59 <DIR> d-------- C:\Program Files\Uniblue
2008-04-15 18:59 . 2008-04-15 18:59 <DIR> d-------- C:\Documents and Settings\Egg\Application Data\Uniblue
2008-04-15 18:23 . 2008-04-15 20:11 <DIR> d-------- C:\WINDOWS\AsDmiHtm
2008-04-15 16:14 . 2008-04-15 19:10 <DIR> d-------- C:\RECYCLER(2)
2008-04-14 16:29 . 2008-04-14 16:32 346 --a------ C:\WINDOWS\wininit.ini
2008-04-11 18:51 . 2008-04-14 12:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 11:59 . 2008-04-03 11:59 <DIR> d-------- C:\Documents and Settings\Egg\Logs
2008-03-31 20:03 . 2008-03-31 20:03 <DIR> d-------- C:\WINDOWS\Sun
2008-03-27 05:36 . 2008-03-27 05:38 <DIR> d-------- C:\Documents and Settings\Egg\.uicentral4
2008-03-26 04:59 . 2008-03-26 04:59 <DIR> d-------- C:\Logs
2008-03-25 22:20 . 2007-07-30 18:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-25 22:20 . 2007-07-30 18:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-25 22:20 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-25 07:41 . 2008-03-25 07:41 <DIR> d-------- C:\Program Files\Windows Live
2008-03-25 07:41 . 2008-03-25 07:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 08:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 11:25 3,790 ----a-w C:\WINDOWS\system32\tmp.reg
2008-04-15 13:04 --------- d-----w C:\Program Files\Incomplete
2008-04-15 11:10 --------- d-----w C:\Program Files\Realtek
2008-04-14 11:23 --------- d-----w C:\Program Files\Google
2008-04-14 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 04:26 --------- d-----w C:\Program Files\LimeWire
2008-04-11 10:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-11 07:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-01 21:51 --------- d-----w C:\Program Files\World of Warcraft
2008-03-20 07:46 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-10 01:03 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-03-10 00:33 --------- d-----w C:\Documents and Settings\Egg\Application Data\teamspeak2
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-09-21 08:05 13,195 ----a-w C:\Documents and Settings\Egg\zguicfgw.dat
2007-08-16 02:22 68,560 ----a-w C:\Documents and Settings\Stacey\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37 2321600]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"bind cast"="C:\DOCUME~1\Stacey\APPLIC~1\SECTSE~1\FIRST ABOUT WAY.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 17:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"VTTimer"="VTTimer.exe" [2006-08-03 14:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 12:00 132496]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [ ]
"S3Trayp"="S3trayp.exe" [2006-07-11 02:33 176128 C:\WINDOWS\system32\S3Trayp.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 14:24 286720]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [ ]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-08-14 10:51 352256]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-08 00:55 267064]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 14:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-04 00:00 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 00:50 1603152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 22:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 11:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11:39]
S3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-09-12 10:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 09:29:13 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 16:53:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-18 16:58:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 08:58:13
ComboFix2.txt 2008-04-15 08:14:41
ComboFix3.txt 2008-04-15 04:29:55
ComboFix4.txt 2007-09-08 01:16:17

Pre-Run: 112,880,275,456 bytes free
Post-Run: 112,956,882,944 bytes free
.
2008-04-18 08:58:00 --- E O F ---




heres the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:47:00 PM, on 18/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Egg\Desktop\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [bind cast] C:\DOCUME~1\Stacey\APPLIC~1\SECTSE~1\FIRST ABOUT WAY.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll



and the last log

Malwarebytes' Anti-Malware 1.11
Database version: 647

Scan type: Full Scan (C:\|)
Objects scanned: 78243
Time elapsed: 24 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{14e6d991-db22-4661-981d-20c168d6847b} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2242513c-f5e9-41b3-bc89-4d9daf487450} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3b489b37-fc1b-45c8-b1ce-78d9aef5b336} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3d6a6e24-fdff-418e-a93d-9fbdcba377af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e318e44-0c35-4292-af91-18dd17795636} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{495349a3-3a35-465f-88df-6ccfc1348246} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{575e8879-d6cf-4992-a7fe-651da9277bcb} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{76a15001-ff88-47ee-9e34-9f68e34246af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{819a1c55-735f-4696-8727-3772ec87ad26} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8dc7e656-ffbc-4ba2-af81-1c6c4fe04407} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a86bed71-2b56-4778-9c48-829a3d01c687} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ae119e11-cf86-43cb-91aa-1acf2bbf9ec6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a1ce7f-011d-4475-98db-076aaf3b1d18} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b667f141-171c-4ac6-bd2b-8e0c646fb920} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da4f8351-05ef-4956-b9ab-1093b732436f} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e1e4e46d-53b8-45dc-abf0-3e7adef79012} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{83b0cadc-ea64-4ac6-822a-3ece95f44da6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CustReg.CustRg (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\qoobox\Quarantine\C\Program Files\NetProject\waun.exe.vir (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\qoobox\Quarantine\C\WINDOWS\system32\215651\215651.dll.vir (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BC5EF762-4A69-417C-B9C0-BBAF93E5C387}\RP10\A0001047.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BC5EF762-4A69-417C-B9C0-BBAF93E5C387}\RP10\A0001048.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BC5EF762-4A69-417C-B9C0-BBAF93E5C387}\RP2\A0000061.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BC5EF762-4A69-417C-B9C0-BBAF93E5C387}\RP2\A0000062.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stacey\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.

#13 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 18 April 2008 - 07:55 AM

Hi

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\Ascd_tmp.ini
Click Submit.
Please post the results of this scan to this thread.

Do the same for this file:
C:\Documents and Settings\Egg\zguicfgw.dat


[Party Poker, PartyCasino, UltimateBet, EmpirePoker, and the related sites are a risk and that's where most malware gets installed. Online Poker sites are well known for placing all manner of Internet parasites on their visitors' computers and continue to do so. They should be highly suspect for any Malware on your computer. In a lot of cases, these Poker plugins are also getting installed without your asking for it. You can read Poker gamers targeted by a rootkit backdoor regarding the risk involved with visiting the Poker games web sites. Two safe alternatives are PokerStars and Pogo.com.

I recommend that you remove Party Poker and Empire Poker.
To uninstall the Party Poker.
  • Click Start > Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight Party Poker, click Remove.
  • Close the Add or Remove Programs and the Control Panel windows.
  • Using Windows Explorer (Windows key+e), search for the Party Poker folder. If the program folder is still there, select/highlight the PartyPoker folder. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
  • Close Windows Explorer.
  • Reboot.
  • Substitute the name of the next poker game recommended for uninstall and follow the above procedure for each poker game.



Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

O4 - HKCU\..\Run: [bind cast] C:\DOCUME~1\Stacey\APPLIC~1\SECTSE~1\FIRST ABOUT WAY.exe


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked exit HijackThis and reboot then post back with a new HijackThis log.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#14 eggmeister

eggmeister

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 18 April 2008 - 07:03 PM

heres the first 2 scans

Scan taken on 19 Apr 2008 00:54:37 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing





Scan taken on 19 Apr 2008 00:57:15 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



And my new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:00:20 AM, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Egg\Desktop\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

#15 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 19 April 2008 - 04:51 AM

Hi

Im guessing you removed the Poker stuff. Yuo will need to fix the lines in Hijackthis

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked exit HijackThis and reboot.


Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.
  • Close any programmes you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment (JRE) (5th one down the list), which is JRE6u6, and click Yes at the page warning. Under "Platform" select Windows, then check the box to accept the Licence Agreement. Click Yes at the second page warning before downloading the Offline file.
There is no need to download the Sun Dowload manager but it is optional.


Then run MBAM once more, on a Quick Scan this time and post the new log with a new HijackThis log.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·