Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TrafficSector malware/virus/ removal 1

Status
Not open for further replies.
DoctorEd

DoctorEd

IS-IT--Management
May 22, 2002
23
0
0
US
I have a computer with the "trafficsector" browser helper infection...I need to remove it but adaware and SPYBOT don't help. Any ideas? Here is my HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 4:33:23 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1109869203\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Common Files\AOL\1109869203\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1109869203\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Common Files\AOL\1109869203\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
c:\program files\common files\aol\1109869203\ee\aolssc.exe
C:\DOCUME~1\Ed\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsi8C.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109869203\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1109869203\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1109869203\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1109869203\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
 
Sort by date Sort by votes
Download the pocket killbox





have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsi8C.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - (no file)



Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box.Then click yes
to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



C:\WINDOWS\system32\nsi8C.dll




Please download WebRoot SpySweeper from HERE (It's a 2 week trial):



* Click the Free Trial link under "Downloads/SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.



Run an online antivirus check from


choose extended database for the scan!




Run ActiveScan online virus scan here


When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the spysweeper and active scan logs



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Thanks for the quick reply...am running process now and will post results when finished.

Thanks,

Doc
 
Upvote 0 Downvote
I'm having a similar problem. Random words on websites are green links, pointing to
I have run Adaware and Ewido, as well as manually removed a file (lnkstub.exe) as recommended by whirlywiryweb.

Here is my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 4:46:19 AM, on 3/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Anti-spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = F2 - REG:system.ini: Shell=Explorer.exe,javameng.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\javameng.exe,C:\Documents and Settings\Owner\Application Data\Explorer\javameng.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsf3B.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmkpbb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twintrag.exe FI002
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twintrag.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O17 - HKLM\System\CCS\Services\Tcpip\..\{40A053D3-8E21-4978-B61B-E8A0D03F84C6}: NameServer = 68.87.64.196,68.87.66.196
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {828DEFB6-7F3F-49B1-A024-2B849D619E24} - C:\WINDOWS\system32\y7xnyala7.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\rpftwwvj.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Internet Player - {8E840C7A-A885-4C2B-ACCB-F6CC2ACCC155} - C:\WINDOWS\system32\smssstor.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Any help would be appreciated.
 
Upvote 0 Downvote
The G bud,


You don't appear to have either a firewal or a anti virus, downlaod and install these from the links below!


Anti-vir





Filseclab Personal Firewall Professional Edition




use this site to confgure filseclab , see page 7 and post 165 of that thread!



Use this site's shields up to test filseclab and see if it is stealthing, some rules may have to be changed to " out " to pass the tests!






Download the pocket killbox




Please download WebRoot SpySweeper from HERE (It's a 2 week trial):



* Click the Free Trial link under "Downloads/SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.


After running spysweeper run these scans!




* Download the trial version of Ewido Security Suite here



* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.





* Click here to download ATF Cleaner by Atribune and save it to your desktop.




* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.




* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.




F2 - REG:system.ini: Shell=Explorer.exe,javameng.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\javameng.exe,C:\Documents and Settings\Owner\Application Data\Explorer\javameng.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsf3B.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmkpbb.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twintrag.exe FI002
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twintrag.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Filter: text/html - {828DEFB6-7F3F-49B1-A024-2B849D619E24} - C:\WINDOWS\system32\y7xnyala7.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\rpftwwvj.dll
O21 - SSODL: Internet Player - {8E840C7A-A885-4C2B-ACCB-F6CC2ACCC155} - C:\WINDOWS\system32\smssstor.dll (file missing)


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



C:\WINDOWS\system32\javameng.exe
C:\Documents and Settings\Owner\Application Data\Explorer\javameng.exe
C:\Program C:\WINDOWS\system32\nsf3B.dll
C:\WINDOWS\system32\irsmkpbb.dll
C:\WINDOWS\system32\ShowWnd.exe
C:\WINDOWS\ShowWnd.exe
C:\WINDOWS\system32\twintrag.exe
C:\WINDOWS\system32\srshost.exe
C:\WINDOWS\system32\y7xnyala7.dll
C:\WINDOWS\system32\rpftwwvj.dll



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop




reboot to normal mode and run a few online scans!



Run ActiveScan online virus scan here


When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido, spysweeper and active scan logs




Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Logfile of HijackThis v1.99.1
Scan saved at 4:06:12 PM, on 3/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Anti-spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = F2 - REG:system.ini: Shell=Explorer.exe,javameng.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\javameng.exe,C:\Documents and Settings\Owner\Application Data\Explorer\javameng.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Global Startup: Filseclab Messenger.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O17 - HKLM\System\CCS\Services\Tcpip\..\{40A053D3-8E21-4978-B61B-E8A0D03F84C6}: NameServer = 68.87.64.196,68.87.66.196
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:02:48 PM, 3/16/2006
+ Report-Checksum: 8C71E863

+ Scan result:

No infected objects found.


::Report End

********
3:12 PM: | Start of Session, Thursday, March 16, 2006 |
3:12 PM: Spy Sweeper started
3:12 PM: Sweep initiated using definitions version 635
3:12 PM: Starting Memory Sweep
3:15 PM: Memory Sweep Complete, Elapsed Time: 00:02:31
3:15 PM: Starting Registry Sweep
3:15 PM: Found Adware: mirar webband
3:15 PM: HKCR\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}\ (2 subtraces) (ID = 135065)
3:15 PM: HKCR\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135069)
3:15 PM: HKCR\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135070)
3:15 PM: HKCR\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135071)
3:15 PM: HKCR\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135072)
3:15 PM: HKCR\nn_bar_dummy.nn_bardummy.1\ (3 subtraces) (ID = 135075)
3:15 PM: HKCR\nn_bar_dummy.nn_bardummy\ (5 subtraces) (ID = 135076)
3:15 PM: HKLM\software\classes\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}\ (2 subtraces) (ID = 135078)
3:15 PM: HKLM\software\classes\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135082)
3:15 PM: HKLM\software\classes\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135083)
3:15 PM: HKLM\software\classes\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135084)
3:15 PM: HKLM\software\classes\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135085)
3:15 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy.1\ (3 subtraces) (ID = 135088)
3:15 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\ (5 subtraces) (ID = 135089)
3:15 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\clsid\ (1 subtraces) (ID = 135090)
3:15 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\curver\ (1 subtraces) (ID = 135091)
3:15 PM: HKLM\software\classes\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135092)
3:15 PM: HKLM\software\classes\typelib\{f8310e7d-4c4d-46a4-a068-b5bb99411cc7}\ (9 subtraces) (ID = 135093)
3:15 PM: HKCR\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135121)
3:15 PM: HKCR\typelib\{f8310e7d-4c4d-46a4-a068-b5bb99411cc7}\ (9 subtraces) (ID = 135122)
3:15 PM: Found Adware: clkoptimizer
3:15 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
3:15 PM: HKLM\software\qstat\ || brr (ID = 877670)
3:15 PM: Found Adware: elitemediagroup-pop64
3:15 PM: HKCR\interface\{b216c7fc-397c-45f0-adfc-907df3c87339}\ (8 subtraces) (ID = 967532)
3:15 PM: HKCR\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967541)
3:15 PM: HKCR\typelib\{5bec549d-581b-4636-ae75-28645e8cddc1}\ (9 subtraces) (ID = 967550)
3:15 PM: HKLM\software\classes\interface\{b216c7fc-397c-45f0-adfc-907df3c87339}\ (8 subtraces) (ID = 967592)
3:15 PM: HKLM\software\classes\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967601)
3:15 PM: HKLM\software\classes\typelib\{5bec549d-581b-4636-ae75-28645e8cddc1}\ (9 subtraces) (ID = 967610)
3:15 PM: HKCR\mirar_dummy_ats.mirar_dummy_ats1\ (5 subtraces) (ID = 1055242)
3:15 PM: HKCR\mirar_dummy_ats.mirar_dummy_ats1.1\ (3 subtraces) (ID = 1055248)
3:15 PM: HKCR\mirar_dummy_ats.mirar_dummy_ats1.1\clsid\ (1 subtraces) (ID = 1055250)
3:15 PM: HKCR\typelib\{34568171-e2ca-4fcd-a99f-43771f766b8a}\ (9 subtraces) (ID = 1055268)
3:15 PM: HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1\ (5 subtraces) (ID = 1055285)
3:15 PM: HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1.1\ (3 subtraces) (ID = 1055291)
3:15 PM: HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1.1\clsid\ (1 subtraces) (ID = 1055293)
3:15 PM: HKLM\software\classes\typelib\{34568171-e2ca-4fcd-a99f-43771f766b8a}\ (9 subtraces) (ID = 1055323)
3:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\winats.dll (ID = 1055333)
3:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/winats.dll\ (2 subtraces) (ID = 1066860)
3:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/elite.ocx\ (2 subtraces) (ID = 1137453)
3:15 PM: Found Adware: safesearch
3:15 PM: HKCR\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1160022)
3:15 PM: HKCR\iman.riemon\ (5 subtraces) (ID = 1160080)
3:15 PM: HKCR\iman.riemon.1\ (3 subtraces) (ID = 1160086)
3:15 PM: HKLM\software\microsoft\windows\currentversion\app paths\irism\ (2 subtraces) (ID = 1160093)
3:15 PM: HKLM\software\microsoft\windows\currentversion\app paths\irssyncd\ (2 subtraces) (ID = 1160096)
3:15 PM: HKLM\software\irismon\ (12 subtraces) (ID = 1165615)
3:15 PM: HKLM\software\classes\iman.riemon\ (5 subtraces) (ID = 1165636)
3:15 PM: HKLM\software\classes\iman.riemon.1\ (3 subtraces) (ID = 1165642)
3:15 PM: HKLM\software\classes\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1165660)
3:15 PM: Found Adware: quicklink search toolbar
3:15 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460)
3:15 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464)
3:15 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468)
3:15 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472)
3:15 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510)
3:15 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514)
3:15 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518)
3:15 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522)
3:15 PM: Registry Sweep Complete, Elapsed Time:00:00:18
3:15 PM: Starting Cookie Sweep
3:15 PM: Found Spy Cookie: 2o7.net cookie
3:15 PM: owner@2o7[2].txt (ID = 1957)
3:15 PM: Found Spy Cookie: websponsors cookie
3:15 PM: owner@a.websponsors[1].txt (ID = 3665)
3:15 PM: Found Spy Cookie: yieldmanager cookie
3:15 PM: owner@ad.yieldmanager[1].txt (ID = 3751)
3:15 PM: Found Spy Cookie: adecn cookie
3:15 PM: owner@adecn[1].txt (ID = 2063)
3:15 PM: Found Spy Cookie: adknowledge cookie
3:15 PM: owner@adknowledge[1].txt (ID = 2072)
3:15 PM: Found Spy Cookie: hbmediapro cookie
3:15 PM: owner@adopt.hbmediapro[2].txt (ID = 2768)
3:15 PM: Found Spy Cookie: hotbar cookie
3:15 PM: owner@adopt.hotbar[2].txt (ID = 4207)
3:15 PM: Found Spy Cookie: adprofile cookie
3:15 PM: owner@adprofile[1].txt (ID = 2084)
3:15 PM: Found Spy Cookie: adrevolver cookie
3:15 PM: owner@adrevolver[2].txt (ID = 2088)
3:15 PM: owner@adrevolver[3].txt (ID = 2088)
3:15 PM: Found Spy Cookie: adreactor cookie
3:15 PM: owner@adserver.adreactor[1].txt (ID = 2087)
3:15 PM: Found Spy Cookie: advertising cookie
3:15 PM: owner@advertising[1].txt (ID = 2175)
3:15 PM: Found Spy Cookie: apmebf cookie
3:15 PM: owner@apmebf[2].txt (ID = 2229)
3:15 PM: Found Spy Cookie: ask cookie
3:15 PM: owner@ask[1].txt (ID = 2245)
3:15 PM: Found Spy Cookie: atlas dmt cookie
3:15 PM: owner@atdmt[2].txt (ID = 2253)
3:15 PM: Found Spy Cookie: belnk cookie
3:15 PM: owner@ath.belnk[1].txt (ID = 2293)
3:15 PM: Found Spy Cookie: atwola cookie
3:15 PM: owner@atwola[1].txt (ID = 2255)
3:15 PM: owner@belnk[1].txt (ID = 2292)
3:15 PM: Found Spy Cookie: bluestreak cookie
3:15 PM: owner@bluestreak[1].txt (ID = 2314)
3:15 PM: Found Spy Cookie: burstnet cookie
3:15 PM: owner@burstnet[2].txt (ID = 2336)
3:15 PM: Found Spy Cookie: enhance cookie
3:15 PM: owner@c.enhance[1].txt (ID = 2614)
3:15 PM: Found Spy Cookie: goclick cookie
3:15 PM: owner@c.goclick[2].txt (ID = 2733)
3:15 PM: Found Spy Cookie: casalemedia cookie
3:15 PM: owner@casalemedia[1].txt (ID = 2354)
3:15 PM: owner@dist.belnk[2].txt (ID = 2293)
3:15 PM: Found Spy Cookie: ru4 cookie
3:15 PM: owner@edge.ru4[1].txt (ID = 3269)
3:15 PM: Found Spy Cookie: fastclick cookie
3:15 PM: owner@fastclick[2].txt (ID = 2651)
3:15 PM: Found Spy Cookie: fortunecity cookie
3:15 PM: owner@fortunecity[2].txt (ID = 2686)
3:15 PM: Found Spy Cookie: go.com cookie
3:15 PM: owner@go[1].txt (ID = 2728)
3:15 PM: owner@hbmediapro[2].txt (ID = 2767)
3:15 PM: Found Spy Cookie: clickandtrack cookie
3:15 PM: owner@hits.clickandtrack[1].txt (ID = 2397)
3:15 PM: Found Spy Cookie: maxserving cookie
3:15 PM: owner@maxserving[1].txt (ID = 2966)
3:15 PM: owner@media.fastclick[2].txt (ID = 2652)
3:15 PM: Found Spy Cookie: mediaplex cookie
3:15 PM: owner@mediaplex[1].txt (ID = 6442)
3:15 PM: owner@movies.go[1].txt (ID = 2729)
3:15 PM: Found Spy Cookie: nextag cookie
3:15 PM: owner@nextag[1].txt (ID = 5014)
3:15 PM: Found Spy Cookie: oinadserve cookie
3:15 PM: owner@oinadserve[2].txt (ID = 3091)
3:15 PM: Found Spy Cookie: overture cookie
3:15 PM: owner@overture[1].txt (ID = 3105)
3:15 PM: Found Spy Cookie: partypoker cookie
3:15 PM: owner@partypoker[2].txt (ID = 3111)
3:15 PM: Found Spy Cookie: qksrv cookie
3:15 PM: owner@qksrv[2].txt (ID = 3213)
3:15 PM: Found Spy Cookie: questionmarket cookie
3:15 PM: owner@questionmarket[2].txt (ID = 3217)
3:15 PM: Found Spy Cookie: realmedia cookie
3:15 PM: owner@realmedia[1].txt (ID = 3235)
3:15 PM: Found Spy Cookie: dealtime cookie
3:15 PM: owner@stat.dealtime[2].txt (ID = 2506)
3:15 PM: Found Spy Cookie: tradedoubler cookie
3:15 PM: owner@tradedoubler[2].txt (ID = 3575)
3:15 PM: Found Spy Cookie: trafficmp cookie
3:15 PM: owner@trafficmp[1].txt (ID = 3581)
3:15 PM: Found Spy Cookie: tribalfusion cookie
3:15 PM: owner@tribalfusion[1].txt (ID = 3589)
3:15 PM: Found Spy Cookie: webpower cookie
3:15 PM: owner@webpower[2].txt (ID = 3660)
3:15 PM: owner@www.fortunecity[2].txt (ID = 2687)
3:15 PM: Found Spy Cookie: redzip cookie
3:15 PM: owner@www.redzip[2].txt (ID = 3250)
3:15 PM: Found Spy Cookie: screensavers.com cookie
3:15 PM: owner@www.screensavers[2].txt (ID = 3298)
3:15 PM: Found Spy Cookie: zenotecnico cookie
3:15 PM: owner@zenotecnico[2].txt (ID = 3858)
3:15 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
3:15 PM: Starting File Sweep
3:20 PM: mndcntas.tmp (ID = 246193)
3:20 PM: backup-20060316-141542-729.dll (ID = 246679)
3:22 PM: irismon.dll (ID = 246191)
3:23 PM: s20s.5.exe (ID = 246713)
3:23 PM: irssyncd.exe (ID = 246193)
3:23 PM: Found Adware: zenosearchassistant
3:23 PM: nt68rrtc12.sys (ID = 220230)
3:23 PM: Found Adware: purityscan
3:23 PM: yoinsi.exe (ID = 213483)
3:23 PM: backup-20060316-043656-488.inf (ID = 187156)
3:25 PM: eliteunstall.exe (ID = 244416)
3:25 PM: s1ag.1.exe (ID = 246713)
3:30 PM: msnav32.ax (ID = 220229)
3:30 PM: zeno.lnk (ID = 146127)
3:30 PM: backup-20060316-043951-215.inf (ID = 208224)
3:32 PM: File Sweep Complete, Elapsed Time: 00:16:40
3:32 PM: Full Sweep has completed. Elapsed time 00:19:36
3:32 PM: Traces Found: 410
3:33 PM: Removal process initiated
3:33 PM: Quarantining All Traces: clkoptimizer
3:33 PM: Quarantining All Traces: purityscan
3:33 PM: Quarantining All Traces: quicklink search toolbar
3:33 PM: Quarantining All Traces: safesearch
3:33 PM: Quarantining All Traces: elitemediagroup-pop64
3:33 PM: Quarantining All Traces: mirar webband
3:33 PM: Quarantining All Traces: zenosearchassistant
3:33 PM: Quarantining All Traces: 2o7.net cookie
3:33 PM: Quarantining All Traces: adecn cookie
3:34 PM: Quarantining All Traces: adknowledge cookie
3:34 PM: Quarantining All Traces: adprofile cookie
3:34 PM: Quarantining All Traces: adreactor cookie
3:34 PM: Quarantining All Traces: adrevolver cookie
3:34 PM: Quarantining All Traces: advertising cookie
3:34 PM: Quarantining All Traces: apmebf cookie
3:34 PM: Quarantining All Traces: ask cookie
3:34 PM: Quarantining All Traces: atlas dmt cookie
3:34 PM: Quarantining All Traces: atwola cookie
3:34 PM: Quarantining All Traces: belnk cookie
3:34 PM: Quarantining All Traces: bluestreak cookie
3:34 PM: Quarantining All Traces: burstnet cookie
3:34 PM: Quarantining All Traces: casalemedia cookie
3:34 PM: Quarantining All Traces: clickandtrack cookie
3:34 PM: Quarantining All Traces: dealtime cookie
3:34 PM: Quarantining All Traces: enhance cookie
3:34 PM: Quarantining All Traces: fastclick cookie
3:34 PM: Quarantining All Traces: fortunecity cookie
3:34 PM: Quarantining All Traces: go.com cookie
3:34 PM: Quarantining All Traces: goclick cookie
3:34 PM: Quarantining All Traces: hbmediapro cookie
3:34 PM: Quarantining All Traces: hotbar cookie
3:34 PM: Quarantining All Traces: maxserving cookie
3:34 PM: Quarantining All Traces: mediaplex cookie
3:34 PM: Quarantining All Traces: nextag cookie
3:34 PM: Quarantining All Traces: oinadserve cookie
3:34 PM: Quarantining All Traces: overture cookie
3:34 PM: Quarantining All Traces: partypoker cookie
3:34 PM: Quarantining All Traces: qksrv cookie
3:34 PM: Quarantining All Traces: questionmarket cookie
3:34 PM: Quarantining All Traces: realmedia cookie
3:34 PM: Quarantining All Traces: redzip cookie
3:34 PM: Quarantining All Traces: ru4 cookie
3:34 PM: Quarantining All Traces: screensavers.com cookie
3:34 PM: Quarantining All Traces: tradedoubler cookie
3:34 PM: Quarantining All Traces: trafficmp cookie
3:34 PM: Quarantining All Traces: tribalfusion cookie
3:34 PM: Quarantining All Traces: webpower cookie
3:34 PM: Quarantining All Traces: websponsors cookie
3:34 PM: Quarantining All Traces: yieldmanager cookie
3:34 PM: Quarantining All Traces: zenotecnico cookie
3:34 PM: Removal process completed. Elapsed time 00:00:21
********
3:06 PM: | Start of Session, Thursday, March 16, 2006 |
3:06 PM: Spy Sweeper started
3:07 PM: Your spyware definitions have been updated.
 
Upvote 0 Downvote
can you post the panda scan log and the ewdio log!


have hijack this fix these ones!

F2 - REG:system.ini: Shell=Explorer.exe,javameng.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\javameng.exe,C:\Documents and Settings\Owner\Application Data\Explorer\javameng.exe

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
I posted the ewido log in my earlier post. Ewido found nothing.

Here's the ActiveScan log


Incident Status Location

Adware:adware/kingporn Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ExtractDLL.dll
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Owner\Cookies\owner@entrepreneur[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.c5.zedo.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.webpower.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.go.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\cookies.txt[]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Owner\Cookies\owner@entrepreneur[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ath.belnk[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[2].txt
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ExtractDLL.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\cxdapoqy.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\efottlec.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\facldoib.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\girntmus.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\kjufujhg.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\kyqsefmh.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\lssbpcao.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\nldknshw.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\qkcnredl.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\vlcakrmk.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\vnewnodx.dll
Virus:Trj/Crypt.BE Not disinfected C:\WINDOWS\system32\vvhajrpp.dll
 
Upvote 0 Downvote
ok go here and empty out this folder.


C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\56roomjq.default\

To block cookies in mozilla and stop them from coming back click on tools/ options/privacy/click view cookies, now you will now see a list of cookies, click on all the cookies to delete that you don't want to keep! You can view all the blocked cookies by clicking exceptions!



* Go to Control Panel > Internet Options. On the General tab under
"Temporary Internet Files" Click "Delete Files". Put a check by "Delete
Offline Content" and click OK. Click on the "Delete Cookies" button to clear
the cookies.



you should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.


How to turn off system restore







here's some free tools to keep you from getting infected in the future.


to stop reinfection get these two tools, spywareguard and spywareblaster
from




get the hosts file from here.Unzip it to a folder!





put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.







Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.



I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
e-mail client.



Another good and free browser is Opera!



Read here to see how to tighten your security:



A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.




Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
102
Oorde
Oorde
2ffat
  • Locked
  • News
MalwareBytes may have been hacked
Replies
0
Views
45
2ffat
2ffat
goombawaho
  • Locked
  • News
Malware Injected Into CCleaner 3
Replies
2
Views
53
goombawaho
goombawaho
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
73
goombawaho
goombawaho
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
50
andyv2011
andyv2011

Part and Inventory Search

Sponsor

Back
Top