Avast WEBforum
Other => Viruses and worms => Topic started by: brenda31 on June 20, 2007, 02:03:14 AM
-
Please help.
My Avast cleaner (avast 4.7) keeps telling me I have infected files and to move them to the chest. I move them to the chest however IE pops up randomly taking me to www.partypoker.com and some other singles site. I have ran ad aware and have deleted what came up. I've also ran spybot twice and I continue to get the following.
Smitfraud-C.Toolbar888 1 entries
Winsoftware.WinAntiVirusPro2006 1 entries
Winsoftware 1 entries
ZenoSearch 3 entries
Avast 4.7 tells me I have
Name of file
C:\Documents and Settings\...\dqgubvpq.exe Infection Win32:Agent-HZS [Trj]
C:\Documents and Settings\...\[PECompact] Infection Win32:Agent-HDR [Trj]
C:\System Volume Information\...\A0040516.exe Infection Win32: Trojan-gen {other}
C:\System Volume Information\...\A0041388.dll Infection Win32:VBStat-C[Trj]
C:\\WINDOWS/system32\fojtipub.exe Infection: Win32:Agent-HZS [Trj]
I had been able to get online and check email but now I cannot even sign in.
How can I correct this problem?
Thanks.
-
classic eg of browser hijacking..if u want quick and good advice pease post ur hijackthis log..so the people at avast can tell u wat to do next...
http://www.softpedia.com/progDownload/HijackThis-Download-5034.html
since u already run ad aware and spy bot search and destroy try
AVG anti-spyware http://www.filehippo.com/download_ewido/
;D
i have found it more effective in cases of IE hijacking
-
Hi brenda31. Welcome to the form.
Please post a ComboFix log first, then a HijackThis log.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log (instructionS below) in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
.
Both of these logs will be long and will require more than a single post to fit all the information. Use as many posts as required.
-
C:\WINDOWS\system32\cayjqija.dll
C:\WINDOWS\system32\ewscknwt.dll
C:\WINDOWS\system32\gjidsoiv.dll
C:\WINDOWS\system32\kimmrbbf.dll
C:\WINDOWS\system32\ajiqjyac.ini
C:\WINDOWS\system32\twnkcswe.ini
C:\WINDOWS\system32\viosdijg.ini
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\opnmmml.dll
C:\WINDOWS\system32\pmnlk.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\svhost.exe
((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))
2007-06-19 19:58 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-19 04:05 192,602 --a------ C:\WINDOWS\system32\kwinlodt.exe
2007-06-18 13:35 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-18 13:31 191,006 --a------ C:\WINDOWS\system32\nkdsregs.exe
2007-06-17 00:21 <DIR> d-------- C:\Program Files\svhost
2007-06-17 00:20 <DIR> d-------- C:\Program Files\poolsv
2007-06-17 00:16 36,352 --a------ C:\WINDOWS\poolsv.exe
2007-06-17 00:14 0 -rahs---- C:\MSDOS.SYS
2007-06-17 00:14 0 -rahs---- C:\IO.SYS
2007-06-15 23:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-15 23:29 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-14 13:01 <DIR> d-------- C:\DOCUME~1\BRENDA~1\APPLIC~1\Snapfish
2007-06-13 16:24 <DIR> d-------- C:\DOCUME~1\BRENDA~1\APPLIC~1\IMVU
-
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-18 07:09:46 -------- d-----w C:\Program Files\Messenger
2007-06-09 05:52:17 -------- d-----w C:\DOCUME~1\BRENDA~1\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 22:17:57 -------- d-----w C:\DOCUME~1\BRENDA~1\APPLIC~1\Viewpoint
2007-05-09 12:14:32 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 16:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:33]
{7FE07CC5-E966-49EB-9D62-EB3B69656283}=C:\Program Files\Messenger\meqot43855.dll [2007-06-14 06:54]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 12:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 05:36]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 18:04]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 11:28]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-29 08:02]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
Contents of the 'Scheduled Tasks' folder
2007-05-14 12:29:00 C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-06-20 01:22:41 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 20:21:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????????????|?p???? ???B?????????????hLC? ??????
scanning hidden files ...
**************************************************************************
Completion time: 2007-06-19 20:26:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 20:25
--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\cayjqija.dll
C:\WINDOWS\system32\ewscknwt.dll
C:\WINDOWS\system32\gjidsoiv.dll
C:\WINDOWS\system32\kimmrbbf.dll
C:\WINDOWS\system32\ajiqjyac.ini
C:\WINDOWS\system32\twnkcswe.ini
C:\WINDOWS\system32\viosdijg.ini
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\opnmmml.dll
C:\WINDOWS\system32\pmnlk.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\svhost.exe
((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))
-
Logfile of HijackThis v1.99.1
Scan saved at 20:52, on 2007-06-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLC4030\WLService.exe
C:\Program Files\Airlink101\AWLC4030\WLanCfgAG.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\ComboFix\catchme.cfexe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
-
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7FE07CC5-E966-49EB-9D62-EB3B69656283} - C:\Program Files\Messenger\meqot43855.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Brenda Mayorga\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176249475250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176249440859
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Super G Wireless Cardbus Service - Unknown owner - C:\Program Files\Airlink101\AWLC4030\WLService.exe
-
I've posted both the ComboFix log and the Hijack this log. Will this have fixed the problem or what else should I do? I have noticed that I have yet to be redirected to the partypoker site. Thank you!
-
There's quite a lot going on in your logs. Its getting a little late for me and I would rather delve deeper after a nights sleep.
For now, open HijackThis again and click to Run a System Scan Only. When it finishes place a check mark next to these lines:
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Brenda Mayorga\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
Then close all other windows, including your browser, and click Fix Checked.
Next, install the free version of SuperAntiSpware and run a complete scan. Quarantine anything found and save the log. Then post the log in your next response
http://www.superantispyware.com/
Also, you have an old-ish version of Java that should be updated. The current version can be downloaded here
http://www.java.com/en/download/manual.jsp
After updating Java open Add/Remove Programs in the Conrol Panel and uninstall any versions of Java older than 6.1 (don't skip this step - some older version are exploitable and the update process will not remove them).
-
I see a worm or two in your ComboFix log that may still be present.
Download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer and save it to your desktop but don't run it just yet. Depending on the results of SuperAntiSpyware we may use this to manually remove some files.
-
I downloaded and ran SuperAntiSpyware and it did not find anything. I hope that's good news. Thanks again for your help.
-
Oh man. I reran SUPERAntiSpyware because I had a popup asking about updates and I now have a bunch of things popping up. I'll post them as soon as the spyware finishes scanning my files. ???
-
This is the most recent SUPERAntiSpyware Scan Log. I ran one last night and had a whole lot more pop up. I will post that log in a few.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/20/2007 at 04:37 PM
Application Version : 3.8.1002
Core Rules Database Version : 3258
Trace Rules Database Version: 1269
Scan type : Complete Scan
Total Scan Time : 00:45:18
Memory items scanned : 516
Memory threats detected : 0
Registry items scanned : 5710
Registry threats detected : 0
File items scanned : 27004
File threats detected : 43
Adware.Tracking Cookie
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@2o7[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@atdmt[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adopt.specificclick[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@112.2o7[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@bs.serving-sys[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@tacoda[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adinterax[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@serving-sys[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@tribalfusion[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@fastclick[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@advertising[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@edge.ru4[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@burstnet[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ad.xplusone[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@doubleclick[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@specificclick[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@mediaplex[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.pointroll[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@www.burstnet[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adopt.euroclick[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adserving.cpxinteractive[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.cluster01.oasis.zmh.zope[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@zedo[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@questionmarket[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@toplist[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ad[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@realmedia[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@cgi-bin[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@revenue[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@N763.networksite.www.msn[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@trafficmp[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@perf.overture[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@anad.tacoda[2].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@revsci[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@anat.tacoda[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@msnportal.112.2o7[1].txt
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@atwola[1].txt
C:\Documents and Settings\Antonio Escalante Jr\Cookies\antonio escalante jr@2o7[2].txt
C:\Documents and Settings\Antonio Escalante Jr\Cookies\antonio escalante jr@advertising[2].txt
C:\Documents and Settings\Antonio Escalante Jr\Cookies\antonio escalante jr@atdmt[1].txt
C:\Documents and Settings\Antonio Escalante Jr\Cookies\antonio escalante jr@doubleclick[1].txt
Trojan.ZQuest
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP211\A0041689.DLL
Trojan.ZenoSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP211\A0041691.EXE
-
My earlier scan log at 6-20-2007 - 01:15:13 showed
Adaware.Clickspring/Outer Info Network
Adaware.Clickspring/Yazzle
Adaware.Tracking Cookie
Adaware.Unknown Origin
Trojan.Downloader-Gen
Trojan.Downloader-Gen/Blah
Trojan.Downloader-Gen/SVHost
Trojan.ZenoSearch
Unclassified.Unknown Origin
What should I do now with both scan logs?
-
Oh man. I reran SUPERAntiSpyware because I had a popup asking about updates and I now have a bunch of things popping up. I'll post them as soon as the spyware finishes scanning my files. ???
Do you mean pop ups on your screen or just lots of detections in SuperAntiSpyware?
The cookies in your log are not a problem. And we will deal with the System Volumes detection a bit later on. These will not be difficult.
If you haven't already downloaded OTMoveIt please do, then double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\nkdsregs.exe
C:\Program Files\svhost
C:\Program Files\poolsv
C:\WINDOWS\poolsv.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with new ComboFix and Hijack logs.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Also, please upload the following file to Virus Total (http://www.virustotal.com/en/indexf.html) for analysis and post the results
C:\WINDOWS\system32\kwinlodt.exe
-
I'm sorry. I had meant a lot of pop ups on the spyware.
I have ran the OTMoveIt and copied and moved the files you asked me to. If I understand right, I should re run the Combofix and HiJackThis?
-
File/Folder C:\WINDOWS\system32\winpfz32.sys not found.
C:\WINDOWS\system32\nkdsregs.exe moved successfully.
C:\Program Files\svhost moved successfully.
C:\Program Files\poolsv moved successfully.
C:\WINDOWS\poolsv.exe moved successfully.
Created on 06-20-2007 21:45:45
-
First copy the contents of the Results window in OTMoveIt and past them here, then re-run ComboFix and HijackThis (in that order).
BTW, one of the files I saw is a back door trojan that could be capable of stealing passwords, etc. If you do any on-line banking or other finanacial transactions on this computer you should contact your bank, change passwords, etc. But do this from a clean computer.
EDIT: Don't forget to upload this to Virus Total
C:\WINDOWS\system32\kwinlodt.exe
-
Logfile of HijackThis v1.99.1
Scan saved at 22:08, on 2007-06-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLC4030\WLService.exe
C:\Program Files\Airlink101\AWLC4030\WLanCfgAG.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Brenda Mayorga\Desktop\OTMoveIt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176249475250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176249440859
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Super G Wireless Cardbus Service - Unknown owner - C:\Program Files\Airlink101\AWLC4030\WLService.exe
-
I did the OTMoveIt followed by the Combofix and then the hijackthis, however I cannot find the log for the Combofix.
-
Did it overwrite your previous log?
-
I believe this is the correct combofix log
ComboFix 07-06-18.2
"Brenda Mayorga" - 2007-06-19 20:01:22 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\cayjqija.dll
C:\WINDOWS\system32\ewscknwt.dll
C:\WINDOWS\system32\gjidsoiv.dll
C:\WINDOWS\system32\kimmrbbf.dll
C:\WINDOWS\system32\ajiqjyac.ini
C:\WINDOWS\system32\twnkcswe.ini
C:\WINDOWS\system32\viosdijg.ini
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\opnmmml.dll
C:\WINDOWS\system32\pmnlk.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\svhost.exe
((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))
2007-06-19 19:58 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-19 04:05 192,602 --a------ C:\WINDOWS\system32\kwinlodt.exe
2007-06-18 13:35 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-18 13:31 191,006 --a------ C:\WINDOWS\system32\nkdsregs.exe
2007-06-17 00:21 <DIR> d-------- C:\Program Files\svhost
2007-06-17 00:20 <DIR> d-------- C:\Program Files\poolsv
2007-06-17 00:16 36,352 --a------ C:\WINDOWS\poolsv.exe
2007-06-17 00:14 0 -rahs---- C:\MSDOS.SYS
2007-06-17 00:14 0 -rahs---- C:\IO.SYS
2007-06-15 23:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-15 23:29 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-14 13:01 <DIR> d-------- C:\DOCUME~1\BRENDA~1\APPLIC~1\Snapfish
2007-06-13 16:24 <DIR> d-------- C:\DOCUME~1\BRENDA~1\APPLIC~1\IMVU
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-18 07:09:46 -------- d-----w C:\Program Files\Messenger
2007-06-09 05:52:17 -------- d-----w C:\DOCUME~1\BRENDA~1\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 22:17:57 -------- d-----w C:\DOCUME~1\BRENDA~1\APPLIC~1\Viewpoint
2007-05-09 12:14:32 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 16:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:33]
{7FE07CC5-E966-49EB-9D62-EB3B69656283}=C:\Program Files\Messenger\meqot43855.dll [2007-06-14 06:54]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 12:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 05:36]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 18:04]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 11:28]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-29 08:02]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
Contents of the 'Scheduled Tasks' folder
2007-05-14 12:29:00 C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-06-20 01:22:41 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 20:21:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????????????|?p???? ???B?????????????hLC? ??????
scanning hidden files ...
**************************************************************************
Completion time: 2007-06-19 20:26:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 20:25
--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\cayjqija.dll
C:\WINDOWS\system32\ewscknwt.dll
C:\WINDOWS\system32\gjidsoiv.dll
C:\WINDOWS\system32\kimmrbbf.dll
C:\WINDOWS\system32\ajiqjyac.ini
C:\WINDOWS\system32\twnkcswe.ini
C:\WINDOWS\system32\viosdijg.ini
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\opnmmml.dll
C:\WINDOWS\system32\pmnlk.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\svhost.exe
((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))
-
I believe this is the correct combofix log
ComboFix 07-06-18.2
"Brenda Mayorga" - 2007-06-19 20:01:22 - Service Pack 2 NTFS
No, that one has yesterday's date ...
-
This is what I got when I tried to upload the file to virustotal
0 bytes size received / Se ha recibido un archivo vacio
-
That is the only log I see, except for one called ComboFix-quarantined files, but it has yesterday's date.
Should I rerun the ComboFix and HiJackThis again in that order?
-
This is what I got when I tried to upload the file to virustotal
0 bytes size received / Se ha recibido un archivo vacio
OK, we're going to get rid of that one too but give me a little time with the HJT log.
In the mean time see if you can find the most recent ComboFix log.
EDIT:
Should I rerun the ComboFix and HiJackThis again in that order?
Just ComboFix this time, but delete the old log first.
-
There was a program file created on 19 June related to a program called NirCmd. Here is a description
http://www.nirsoft.net/utils/nircmd.html
Are you aware of this program on your computer?
EDIT: Your HJT log looks good.
-
I've ran combofix twice and cannot find the log. I did delete yesterday's.
I only find the combofix quarantined files.
2007-06-17 00:21 38400 --a------ C:\Qoobox\Quarantine\C\WINDOWS\svhost.exe.vir
2007-06-17 00:46 285273 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnlk.dll.vir
2007-06-17 00:49 1808184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak1.vir
2007-06-17 00:49 62516 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kimmrbbf.dll.vir
2007-06-17 00:51 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gjidsoiv.dll.vir
2007-06-17 01:37 921779 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\viosdijg.ini.vir
2007-06-18 00:58 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cayjqija.dll.vir
2007-06-18 00:59 345 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ajiqjyac.ini.vir
2007-06-18 13:53 1811116 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.tmp.vir
2007-06-19 00:54 1813276 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak2.vir
2007-06-19 02:30 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ewscknwt.dll.vir
2007-06-19 19:59 901924 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\twnkcswe.ini.vir
2007-06-19 20:10 1812605 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.ini2.vir
2007-06-19 20:12 104 --a------ C:\Qoobox\Quarantine\catchme.log
Folder PATH listing
Volume serial number is 074F-92BD
C:\QOOBOX
\---Quarantine
| catchme.log
|
+---C
| +---Program Files
| | \---Common Files
| \---WINDOWS
| | svhost.exe.vir
| |
| \---system32
| ajiqjyac.ini.vir
| cayjqija.dll.vir
| ewscknwt.dll.vir
| gjidsoiv.dll.vir
| kimmrbbf.dll.vir
| klnmp.bak1.vir
| klnmp.bak2.vir
| klnmp.ini2.vir
| klnmp.tmp.vir
| pmnlk.dll.vir
| twnkcswe.ini.vir
| viosdijg.ini.vir
|
\---Registry_backups
-
I have found at least 3 combofix quarantined file logs, here's the second log.
2007-06-17 00:21 38400 --a------ C:\Qoobox\Quarantine\C\WINDOWS\svhost.exe.vir
2007-06-17 00:46 285273 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnlk.dll.vir
2007-06-17 00:49 1808184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak1.vir
2007-06-17 00:49 62516 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kimmrbbf.dll.vir
2007-06-17 00:51 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gjidsoiv.dll.vir
2007-06-17 01:37 921779 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\viosdijg.ini.vir
2007-06-18 00:58 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cayjqija.dll.vir
2007-06-18 00:59 345 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ajiqjyac.ini.vir
2007-06-18 13:53 1811116 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.tmp.vir
2007-06-19 00:54 1813276 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak2.vir
2007-06-19 02:30 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ewscknwt.dll.vir
2007-06-19 19:59 901924 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\twnkcswe.ini.vir
2007-06-19 20:10 1812605 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.ini2.vir
2007-06-19 20:12 104 --a------ C:\Qoobox\Quarantine\catchme.log
Folder PATH listing
Volume serial number is 074F-92BD
C:\QOOBOX
\---Quarantine
| catchme.log
|
+---C
| +---Program Files
| | \---Common Files
| \---WINDOWS
| | svhost.exe.vir
| |
| \---system32
| ajiqjyac.ini.vir
| cayjqija.dll.vir
| ewscknwt.dll.vir
| gjidsoiv.dll.vir
| kimmrbbf.dll.vir
| klnmp.bak1.vir
| klnmp.bak2.vir
| klnmp.ini2.vir
| klnmp.tmp.vir
| pmnlk.dll.vir
| twnkcswe.ini.vir
| viosdijg.ini.vir
|
\---Registry_backups
-
Hmmm. Not sure what's causing that.
It doesn't look like anything else is going into quarantine so let's get rid of kwinlodt.exe
Open OTMoveIt again and past this into the left pane
C:\WINDOWS\system32\kwinlodt.exe
Then click the move it button and post the results.
Any thoughts on NirCmd?
How is the computer running now? Are there anymore trojan alerts or explorer redirects?
-
File/Folder C:\WINDOWS\system32\kwinlodt.exe not found.
Created on 06-20-2007 23:24:19
As far as the NIRCmd does that have anything to do with the button on my laptop that lets me mute the sound with one touch or raise or lower the volume with the buttons at the top of the laptop?
-
I don't believe so, but let's leave it for now but in a state where it can't run.
Navigate to the file and rename it from kwinlodt.exe to kwinlodt.old. You can work with the computer for a day or so and, if everything still functions as you expect, we will remove it at that point.
Other than this one questionable file I don't see anything else in the logs. Are the symptoms gone now?
-
The computer has ran better, I have not been redirected to any other sites. This morning I did have one Trojan alert, although I cannot remember which one it was.
-
This morning I did have one Trojan alert, although I cannot remember which one it was.
Do you remember if that was before or after the SuperAntiSpyware scans?
-
I believe it was after and it was only one that popped up. Should I run the spyware again?
-
If you right click the avast a-icon, then click avast! log viewer, does the detection show up in the warnings section?
-
I have also ran a file search kwinlodt.exe so that I can rename it to kwinlodt.old however it did not turn up.
-
OK, that's fine.
Let's take a look from one more direction. Download and scan with the free version of AVG AntiSpyware (sassin44 mentioned this one early on and its very good). Quarantine any detections and post the log. I will meet you back here tomorrow.
http://free.grisoft.com/doc/20/lng/us/tpl/v5
-
I have opened up the log viwer and it shows
6/20/2007 01:01 System 2032 Sign of WIN32:Agent HZS[Trj] has been found in "C:\SYSTEMVOLUMEINFORMATION\_RESTORE{D5341F9C-33FZ-43CF-8BD2-1AE937C9BA1B}\RP208\A0041500.EXE"file.
there are also some listed viruses for 6/19/2007 should i list those?
-
Yes, please list them.
-
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 01:43 2007-06-21
+ Scan result:
C:\_OTMoveIt\MovedFiles\WINDOWS\poolsv.exe -> Downloader.VB.aya : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@connextra[2].txt -> TrackingCookie.Connextra : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ehg-myspaceinc.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@searchportal.information[1].txt -> TrackingCookie.Information : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.pointroll[1].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@realmedia[1].txt -> TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@toplist[1].txt -> TrackingCookie.Toplist : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
::Report end
-
There's nothing to worry about in the AVG log.
Lets take a quick look at the avast! log from 6/19/07, then we'll finish things up.
EDIT: Please look once more for C:\WINDOWS\system32\kwinlodt.exe. I'm guessing it was removed in one of the later ComboFix runs but without the full log I don't know for sure. I want it to be gone.
This time, when you open the explorer window (not internet explorer), at the top of the window click Tools>Folder Options>View. Make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Then look for the file.
-
I have looked again for C:\WINDOWS\system32\kwinlodt.exe and have not been able to find it.
Here is what avast shows
2007-04-12 13:09 SYSTEM 2012 Sign of "Win32:Adware-gen. [Adw]" has been found in "http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab\UDC6_0001_D19M1908NetInstaller.exe" file.
2007-04-17 15:56 È‘|x…Øá‹ 2020 Function setifaceUpdateFiles() has failed. Return code is 0x0000A410, dwRes is 20000000.
2007-04-17 15:56 È‘|x…Øá‹ 2020 An error has occured while attempting to update. Please check the logs.
2007-04-27 12:41 SYSTEM 2020 Sign of "JS:Feebs family" has been found in "http://www.donwloadxclips.com/viewasia.php" file.
2007-04-30 13:51 SYSTEM 2008 Sign of "Win32:Spyware-gen. [Trj]" has been found in "http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab\USDR6_0001_D19M2108NetInstaller.exe" file.
2007-05-18 14:35 SYSTEM 2024 Sign of "JS:Feebs family" has been found in "http://greatexplorer.net/js/js.js" file.
2007-05-29 13:02 SYSTEM 1828 Sign of "JS:Feebs family" has been found in "http://www.pornmoviesindex.com/index.php?id=4013&style=bordo&out=1" file.
2007-05-30 14:33 SYSTEM 1828 Sign of "JS:Feebs family" has been found in "http://superfastsservers.com/shc2/bg.jpg" file.
2007-05-30 14:33 SYSTEM 1828 Sign of "JS:Feebs family" has been found in "http://superfastsservers.com/shc2/" file.
2007-05-30 14:34 SYSTEM 1828 Sign of "JS:Feebs family" has been found in "C:\Documents and Settings\Antonio Escalante Jr\Local Settings\Temporary Internet Files\Content.IE5\UPAJ4TEV\shc2[1].htm" file.
2007-05-30 14:34 SYSTEM 1828 Sign of "JS:Feebs family" has been found in "C:\Documents and Settings\Antonio Escalante Jr\Local Settings\Temporary Internet Files\Content.IE5\UPAJ4TEV\shc2[1].htm" file.
2007-05-30 14:34 SYSTEM 1828 Sign of "JS:Feebs family" has been found in "http://superfastsservers.com/shc2/bg.jpg" file.
2007-05-30 14:34 SYSTEM 1828 Sign of "JS:Feebs family" has been found in "http://superfastsservers.com/shc2/bt.jpg" file.
2007-06-01 09:32 SYSTEM 1828 Sign of "Win32:Adware-gen. [Adw]" has been found in "http://drivecleaner.com/.freeware/installdrivecleanerstart.cab\UDC6_0001_D19M1908NetInstaller.exe" file.
2007-06-04 13:53 SYSTEM 1996 Sign of "JS:Feebs family" has been found in "http://fast-info.org/?qq=Bang+bros.com" file.
2007-06-04 13:54 SYSTEM 1996 Sign of "JS:Feebs family" has been found in "C:\Documents and Settings\Antonio Escalante Jr\Local Settings\Temporary Internet Files\Content.IE5\K3PZIMZT\fast-info[1].htm" file.
2007-06-04 13:54 SYSTEM 1996 Sign of "JS:Feebs family" has been found in "http://slil1.info/1.html" file.
2007-06-17 00:21 SYSTEM 2024 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\C3VJUOTD\wr-1-0000077[1].exe\[UPX]" file.
2007-06-17 00:27 SYSTEM 2024 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\LBCRWB6D\wr-1-0000077[1].exe\[UPX]" file.
2007-06-17 00:38 SYSTEM 2024 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Program Files\poolsv\wr-1-0000077.exe\[UPX]" file.
2007-06-17 00:39 SYSTEM 2024 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Program Files\svhost\wr-1-0000077.exe\[UPX]" file.
2007-06-17 00:45 SYSTEM 2024 Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Common Files\Yazzle1549OinAdmin.exe\[PECompact]" file.
2007-06-17 00:45 SYSTEM 2024 Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\PKO7T5KT\k11u72[1].exe" file.
2007-06-17 00:46 SYSTEM 2024 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Program Files\svhost\wr-1-0000077.exe\[UPX]" file.
2007-06-17 00:46 SYSTEM 2024 Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Common Files\Yazzle1549OinAdmin.exe\[PECompact]" file.
2007-06-17 00:46 SYSTEM 2024 Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Program Files\poolsv\k11u72.exe" file.
2007-06-17 00:46 SYSTEM 2024 Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Program Files\poolsv\k11u72.exe" file.
2007-06-17 00:53 SYSTEM 2024 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\udchqggj.dll" file.
2007-06-17 00:53 SYSTEM 2024 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\udchqggj.dll" file.
2007-06-17 00:53 SYSTEM 2024 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\udchqggj.dll" file.
2007-06-17 00:53 SYSTEM 2024 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\udchqggj.dll" file.
2007-06-17 00:58 SYSTEM 2024 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\qlqucbnt.exe" file.
2007-06-17 00:58 SYSTEM 2024 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\qlqucbnt.exe" file.
2007-06-17 00:58 SYSTEM 2024 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\qlqucbnt.exe" file.
2007-06-17 01:00 SYSTEM 2024 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\qlqucbnt.exe" file.
2007-06-17 02:08 Brenda Mayorga 2532 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\LBCRWB6D\wr-1-0000077[1].exe\[UPX]" file.
2007-06-17 02:14 Brenda Mayorga 2532 Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\PKO7T5KT\k11u72[1].exe" file.
2007-06-17 02:35 Brenda Mayorga 2532 Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Common Files\Yazzle1549OinAdmin.exe\[PECompact]" file.
2007-06-17 03:08 Brenda Mayorga 2532 Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Program Files\poolsv\k11u72.exe" file.
2007-06-17 03:12 Brenda Mayorga 2532 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Program Files\svhost\wr-1-0000077.exe\[UPX]" file.
2007-06-17 05:14 Brenda Mayorga 2532 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\qlqucbnt.exe" file.
2007-06-17 11:17 Brenda Mayorga 2532 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\udchqggj.dll" file.
2007-06-18 00:18 Brenda Mayorga 2532 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\AXMHGBKX\YazzleBundle-1549[1].exe" file.
2007-06-18 00:55 SYSTEM 2024 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\fojtipub.exe" file.
2007-06-18 00:55 SYSTEM 2024 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\fojtipub.exe" file.
2007-06-18 00:55 SYSTEM 2024 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\fojtipub.exe" file.
2007-06-18 00:56 SYSTEM 2024 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\fojtipub.exe" file.
2007-06-18 00:58 SYSTEM 2024 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\dshlbhhh.dll" file.
2007-06-18 00:58 SYSTEM 2024 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\dshlbhhh.dll" file.
-
Any thoughts on NirCmd?
Hi Mauserme it is part of combofix
-
This is the second part of the avast log that i'm having trouble posting as a reply.
2007-06-18 00:58 SYSTEM 2024 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\dshlbhhh.dll" file.
2007-06-18 00:58 SYSTEM 2024 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\dshlbhhh.dll" file.
2007-06-18 02:01 SYSTEM 2024 Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\Y94PKDQ7\snapsnet[1].exe" file.
2007-06-18 02:03 SYSTEM 2024 Sign of "Win32:VB-TGS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\snapsnet.exe" file.
2007-06-18 02:04 SYSTEM 2024 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\V7QX137P\wr-1-2000219[1].exe\[PECompact]" file.
2007-06-18 02:04 SYSTEM 2024 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\wr-1-2000219.exe\[PECompact]" file.
2007-06-18 02:05 SYSTEM 2024 Sign of "Win32:VB-TGS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\snapsnet.exe" file.
2007-06-18 02:05 SYSTEM 2024 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\wr-1-2000219.exe\[PECompact]" file.
2007-06-18 02:06 SYSTEM 2024 Sign of "Win32:Agent-GJD [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\tni32.tmp" file.
2007-06-18 06:33 Brenda Mayorga 2532 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\poolsv\YazzleBundle-1549.exe" file.
2007-06-18 12:21 SYSTEM 2024 Function setifaceUpdatePackages() has failed. Return code is 0x00000003, dwRes is 00000003.
2007-06-18 12:29 SYSTEM 2024 An error has occured while attempting to update. Please check the logs.
2007-06-18 13:33 SYSTEM 2020 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\LBCRWB6D\wr-1-0000077[1].exe\[UPX]" file.
2007-06-18 13:36 SYSTEM 2020 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Program Files\svhost\wr-1-0000077.exe\[UPX]" file.
2007-06-18 14:00 SYSTEM 2020 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\dshlbhhh.dll" file.
2007-06-19 00:55 SYSTEM 2020 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\sqxixlhn.dll" file.
2007-06-19 00:56 SYSTEM 2020 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\dqgubvpq.exe" file.
2007-06-19 01:08 Brenda Mayorga 3604 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temp\dqgubvpq.exe" file.
2007-06-19 02:23 Brenda Mayorga 3604 Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temp\wr-1-2000219.exe\[PECompact]" file.
2007-06-19 03:43 Brenda Mayorga 3604 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0040516.exe" file.
2007-06-19 10:48 Brenda Mayorga 3604 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP208\A0041388.dll" file.
2007-06-19 11:02 Brenda Mayorga 3604 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\fojtipub.exe" file.
2007-06-20 01:01 SYSTEM 2032 Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP208\A0041500.EXE" file.
What do you think we should do next? thanks again for all the help!
-
Any thoughts on NirCmd?
Hi Mauserme it is part of combofix
duh !
(and thank you)
-
As far as I can tell your computer is clean at this point. I wanted to see the avast! log to make sure nothing was occurring significantly later than the first ComboFix run since that cleaned most of the problem files. Even though there is one file slightly after that I do not see any indication that a downloader is still at work.
Open OTMoveIt again and click the Clean Up button. This will remove the tools we downloaded and the malware backups.
Next, we will get rid of any remaining, possibly infected restore points and create a clean restore point:
Click Start > All Programs > Accessories > System Tools > System Restore. Fill the radio button to Create a Restore Point and click Next. Give the new restore point a name you will recognize if you need to find it (like Clean Point) and click Create.
Now, click Start > All Programs > Accessories > System Tools > Disk Cleanup. Now click the More Options tab, then click Clean Up in the System Restore section and OK.
After that finishes open Internet Explorer and click Tools>Internet Options>Privacy>Advanced. Make sure the option to reject third party cookies is checked (you may need to check Override Automatic Cookie Handling first). Then click OK>OK. This may help with some of the cookies you've been getting.
Finally, you should consider installing a third party firewall. Comodo is my favorite but Zone Alarm and PC Tools Firewall are also good (all 3 are free)
http://filehippo.com/download_comodo/
Keep SuperAntiSpyware and AVG Antispyware on your computer and scan with them from time to time. This will help keep you clean. Spyware Blaster is also a good, passive defense against malware
http://www.javacoolsoftware.com/spywareblaster.html
This is a good time to install it while the computer is clean.
-
Should I reboot the system before we will get rid of any remaining, possibly infected restore points and create a clean restore point? After I have clicked on cleanup it is asking I reboot the system to finish.
-
Yes, if its asking for a reboot then do that next.
-
Thank you very very much!! YOu've been of great help!! :D :D :D
-
You're welcome.
Let me know if there are any more problems. :)