pop64, seeve, elitemedia...

D_felthD_felth
edited January 2006 in Spyware & Virus Removal
My friend's computer is being a bit stuborn when going on the internet. IT will go on for about three minutes and then kick her off. I've had her run spybot, and ad-aware while in safe mode, but she says that it still won't work. She is in the next state over so I can't get a look at the computer myself. Fortunatly I got her to run a hijackthis log and this is what poped up. she says please help or she will cry. I'm on the phone with her right now. She seems quite emotional over this. please help. THANKS!!

Logfile of HijackThis v1.99.1
Scan saved at 10:30:28 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\scvhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rwinssap.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\wz.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\TEMP\IXP000.TMP\MMX888.EXE
C:\Documents and Settings\Kelsey\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\jkklm.dll
O3 - Toolbar: (no name) - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kyporc.exe reg_run
O4 - HKLM\..\Run: [ral\] C:\WINDOWS\mrjj.exe
O4 - HKLM\..\Run: [=NOI] C:\WINDOWS\mrjj.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinssap.exe FI002
O4 - HKLM\..\RunServices: [QUFA1] C:\WINDOWS\QUFA1.EXE
O4 - HKLM\..\RunServices: [WOUF2] C:\WINDOWS\WOUF2.EXE
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\TEMP\IXP000.TMP\"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinssap.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: jkklm - C:\WINDOWS\SYSTEM32\jkklm.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Unknown owner - C:\Program Files\LEC\LogoMedia TranslateDotNet Server.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Comments

  • TroganTrogan London, UK
    edited January 2006
    Hi,

    There are several infections in your friends log.

    First, I don't see an Anti-Virus in the HJT log. Please download this AV, if you havn't already got one:

    AVG Free Edition http://free.grisoft.com/doc/1


    Secondly, we'll need to run some scan.

    Please download the free Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

    1) Run Ad-Aware, and click Check for updates now.

    2) Select Configurations (click the Gear wheel at the top) as follows:
    • General Button > Safety & Settings: Check (Green) all three.
    • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
    Click Proceed.
    3) To start the scan, Click > "Scan Now" at left
    • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
    • Select "Search for low-risk threats"
    • Select "Perform full system scan"
    • Click Next
    4) When the scan has completed, select Next.
    • In the Scanning Results window, select the "Critical Objects" tab.
    • Right-click on the screen and choose "Select all objects"
    • Click Next to remove the infections found, and click OK to the prompt.
    • Reboot the computer.

    After rebooting, do the following:


    Download Spybot S & D from here.
    1. Download and Install Spybot S&D (if you haven't already), accept the Default Settings
    2. In the Menu Bar at the top of the Spybot window you will see 'Mode'.
      Make certain that 'default mode' has a check mark beside it.
    3. Close ALL windows except Spybot S&D
    4. Click the button to ‘Search for Updates’ then download and install the updates.
    5. Next click the button ‘Check for Problems'
    6. When Spybot is complete, it will be showing ‘RED’ entries, bold 'BLACK' entries and ‘GREEN’ entries in the window
    7. Make certain there is a check mark beside all of the RED entries ONLY.
    8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
    9. REBOOT normally to complete the scan and clear memory.

    After rebooting, do the following:


    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.
    Next, please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.

    For additional help in booting into Safe Mode, see the following site:
    http://www.pchell.com/support/safemode.shtml

    Once in Safe Mode, please run Ewido (Do not use the computer while Ewido is scanning as it may interrupt the scan)
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido

    Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • D_felthD_felth
    edited January 2006
    Here are the two reports after she did everything.
    ewido anti-malware - Scan report

    + Created on: 11:18:11 AM, 1/17/2006
    + Report-Checksum: 85520AE5

    + Scan result:

    HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
    HKU\S-1-5-21-3836864014-242324989-393016108-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1N7GANWX\876057[1].exe -> Adware.Mirar : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\mm63[1].ocx -> Spyware.MediaMotor : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/DRSMAR~1.EXE.exe -> Downloader.Adload.j : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/drsmartload197a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/elt888.exe -> Logger.Agent.hi : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/mc-110-12-0000179.exe -> Spyware.Maxifiles : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/MC-110~1.EXE -> Spyware.Maxifiles : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/mmx888.exe -> Downloader.VB.sh : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/DRSMAR~1.EXE.exe -> Downloader.Adload.j : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/drsmartload197a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/elt888.exe -> Logger.Agent.hi : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/mc-110-12-0000179.exe -> Spyware.Maxifiles : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/MC-110~1.EXE -> Spyware.Maxifiles : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\wowz[1].exe/mmx888.exe -> Downloader.VB.sh : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JAJ6JBSL\installer_251[1].exe -> Downloader.Qoologic.al : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JAJ6JBSL\justin[1].exe -> Adware.EZula : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JAJ6JBSL\MediaGateway[1].exe -> Adware.WinAD : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JAJ6JBSL\mrj[1].exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JAJ6JBSL\whCC-GIANT[1].exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9EMWBXP\drsmartload_js[1].htm -> Downloader.IstBar.j : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9EMWBXP\myc[1].exe/drsmartload197a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\mycc.exe/drsmartload197a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
    C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
    C:\WINDOWS\is468.exe -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\justin.exe -> Adware.EZula : Cleaned with backup
    C:\WINDOWS\lar.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
    C:\WINDOWS\system32\rwinssap.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
    C:\WINDOWS\webhdll.dll_tobedeleted -> Spyware.WebHancer : Cleaned with backup
    C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup
    C:\wz.exe/DRSMAR~1.EXE.exe -> Downloader.Adload.j : Cleaned with backup
    C:\wz.exe/drsmartload197a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\wz.exe/elt888.exe -> Logger.Agent.hi : Cleaned with backup
    C:\wz.exe/mc-110-12-0000179.exe -> Spyware.Maxifiles : Cleaned with backup
    C:\wz.exe/MC-110~1.EXE -> Spyware.Maxifiles : Cleaned with backup
    C:\wz.exe/mmx888.exe -> Downloader.VB.sh : Cleaned with backup
    C:\wz.exe/DRSMAR~1.EXE.exe -> Downloader.Adload.j : Cleaned with backup
    C:\wz.exe/drsmartload197a.exe -> Downloader.Adload.j : Cleaned with backup
    C:\wz.exe/elt888.exe -> Logger.Agent.hi : Cleaned with backup
    C:\wz.exe/mc-110-12-0000179.exe -> Spyware.Maxifiles : Cleaned with backup
    C:\wz.exe/MC-110~1.EXE -> Spyware.Maxifiles : Cleaned with backup
    C:\wz.exe/mmx888.exe -> Downloader.VB.sh : Cleaned with backup


    ::Report End


    Logfile of HijackThis v1.99.1
    Scan saved at 11:37:49 AM, on 1/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kelsey\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\system32\pmnnn.dll
    O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\awtqq.dll
    O3 - Toolbar: (no name) - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kyporc.exe reg_run
    O4 - HKLM\..\Run: [ral\] C:\WINDOWS\mrjj.exe
    O4 - HKLM\..\Run: [=NOI] C:\WINDOWS\mrjj.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\RunServices: [WOUF2] C:\WINDOWS\WOUF2.EXE
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinssap.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O15 - Trusted Zone: *.elitemediagroup.net
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O20 - Winlogon Notify: awtqq - C:\WINDOWS\SYSTEM32\awtqq.dll
    O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LEC TranslateDotNet Server - Unknown owner - C:\Program Files\LEC\LogoMedia TranslateDotNet Server.exe (file missing)
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  • TroganTrogan London, UK
    edited January 2006
    Can you do the following:

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Reboot the computer!


    Please run this scan

    Panda ActiveScan
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    - Once you are on the Panda site, click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

    Post the contents of the Panda scan report, along with a new HijackThis Log
  • D_felthD_felth
    edited January 2006
    here are the logs.

    talk about a pain in the ass to do this over the phone...

    Incident Status Location

    Adware:adware/savenow Not disinfected Windows Registry
    Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Kelsey\Cookies\kelsey@rn11[2].txt
    Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\LocalService\Cookies\system@mmm.media-motor[1].txt
    Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4M58E2WM\6[1].htm
    Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9EMWBXP\3[1].htm
    Possible Virus. Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9EMWBXP\is742[1].exe


    Logfile of HijackThis v1.99.1
    Scan saved at 6:44:10 PM, on 1/19/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Documents and Settings\Kelsey\Desktop\HijackThis.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: (no name) - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kyporc.exe reg_run
    O4 - HKLM\..\Run: [ral\] C:\WINDOWS\mrjj.exe
    O4 - HKLM\..\Run: [=NOI] C:\WINDOWS\mrjj.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\RunServices: [WOUF2] C:\WINDOWS\WOUF2.EXE
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinssap.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O15 - Trusted Zone: *.elitemediagroup.net
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LEC TranslateDotNet Server - Unknown owner - C:\Program Files\LEC\LogoMedia TranslateDotNet Server.exe (file missing)
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



    VundoFix V4.0

    Listing files found while scanning....

    C:\WINDOWS\system32\awtqq.dll
    C:\WINDOWS\system32\pmnnn.dll
    C:\WINDOWS\system32\nnnmp.ini
    C:\WINDOWS\system32\nnnmp.bak1
    C:\WINDOWS\system32\nnnmp.bak2

    C:\WINDOWS\system32\nnnmp.bak1
    C:\WINDOWS\system32\nnnmp.bak2
    C:\WINDOWS\system32\nnnmp.ini
    C:\WINDOWS\system32\pmnnn.dll
    Attempting to delete C:\WINDOWS\system32\awtqq.dll
    C:\WINDOWS\system32\awtqq.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\pmnnn.dll
    C:\WINDOWS\system32\pmnnn.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\nnnmp.ini
    C:\WINDOWS\system32\nnnmp.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\nnnmp.bak1
    C:\WINDOWS\system32\nnnmp.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\nnnmp.bak2
    C:\WINDOWS\system32\nnnmp.bak2 Has been deleted!

    Performing Repairs to the registry.
    Done!
  • TroganTrogan London, UK
    edited January 2006
    D_felth wrote:
    talk about a pain in the ass to do this over the phone...
    Hang in there :D
    --


    Can you do the following


    1)
    Update Ewido, Ad-Aware and Spybot. Do NOT run any scans yet

    2)
    You may want to print these instructions or save them as you'll have no internet connection once in Safe Mode

    View hidden files and folders – explained here

    Go into Safe Mode - explained here
    ==

    ONCE IN SAFE MODE
    ==


    Run HiJackThis then:

    1. Click "Open the Misc Tools Section"
    2. Click "Open Process manager"

    -

    Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

    C:\WINDOWS\elitemediapop.exe
    C:\WINDOWS\mrjj.exe
    C:\WINDOWS\mrjj.exe
    C:\WINDOWS\WOUF2.EXE

    C:\WINDOWS\system32\rwinssap.exe
    C:\WINDOWS\system32\kyporc.exe

    Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
    ==

    Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)
    - Close ALL open windows
    Click Fix Checked

    O3 - Toolbar: (no name) - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - (no file)

    O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kyporc.exe reg_run
    O4 - HKLM\..\Run: [ral\] C:\WINDOWS\system32\kyporc.exe
    O4 - HKLM\..\Run: [=NOI] C:\WINDOWS\mrjj.exe
    O4 - HKLM\..\RunServices: [WOUF2] C:\WINDOWS\WOUF2.EXE

    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinssap.exe

    O15 - Trusted Zone: *.elitemediagroup.net

    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
    ==


    Find and Delete the following:

    C:\WINDOWS\elitemediapop.exe << this file
    C:\WINDOWS\scvhost.exe << this file
    C:\WINDOWS\mrjj.exe << this file
    C:\WINDOWS\mrjj.exe << this file
    C:\WINDOWS\WOUF2.EXE << this file

    C:\WINDOWS\system32\rwinssap.exe << this file
    C:\WINDOWS\system32\kyporc.exe << this file
    C:\WINDOWS\system32\kyporc.exe << this file

    (There maybe only ONE kyporc.exe and mrjj.exe)
    ==


    Run Ad-Aware, SpyBot and then Ewido.

    Save a log for Ewido


    Reboot into Normal Mode and post a new HJT log and the Ewido log :)
This discussion has been closed.