trojan help[active]
i went on a website and i clicked open a link they had i do it like everyday but today it downloaded adware and trojans in my computer.. i scanned with lavasoft se personal and my zone alarm and deleted everything in my ad remove programs tha tdidnt belong.. but i'm still getting annoying pop ups constantly and now the same thing has happened to my mothers computer
Logfile of HijackThis v1.99.1
Scan saved at 11:43:42 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1133151974\ee\AOLSoftware.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe
O4 - HKLM\..\Run: [msc] C:\WINDOWS\system32\Microsoft.NET
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133151974\ee\AOLSoftware.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Oxc] C:\Documents and Settings\Administrator\Application Data\?icrosoft\i?xplore.exe
O4 - Global Startup: 802.11b+g USB Wireless LAN Utility.lnk = C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Logfile of HijackThis v1.99.1
Scan saved at 11:43:42 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1133151974\ee\AOLSoftware.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe
O4 - HKLM\..\Run: [msc] C:\WINDOWS\system32\Microsoft.NET
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133151974\ee\AOLSoftware.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Oxc] C:\Documents and Settings\Administrator\Application Data\?icrosoft\i?xplore.exe
O4 - Global Startup: 802.11b+g USB Wireless LAN Utility.lnk = C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
0
This discussion has been closed.
Comments
1. Your log is showing purityscan/OIN
Please go to your Add/Remove programs and uninstall any apps by OIN
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
2. Can you please rename your Hijackthis.exe to any.exe or (whatever .exe you want to rename it to)
The culprit is monitoring hijackthis.exe process and is able to hide from the scan.
After you renamed hijackthis.exe, you then scan your system with the renamed hijackthis and post the log please.
Scan saved at 1:51:56 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1133151974\ee\AOLSoftware.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\Oregontrail.exe.exe
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [msc] C:\WINDOWS\system32\Microsoft.NET
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133151974\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: 802.11b+g USB Wireless LAN Utility.lnk = C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Load Superantispyware and click the check for updates button.
Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode
* Start Superantispyware.
Click the scan your computer button.
Check Perform Complete Scan and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
2. Also download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
3. Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and post it.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msc" = "C:\WINDOWS\system32\Microsoft.NET" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"HostManager" = "C:\Program Files\Common Files\AOL\1133151974\ee\AOLSoftware.exe" ["America Online, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Objects"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Hood Verbs"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{8BDFEB82-1021-4A59-AC81-7EB366509DDA}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\guard.tmp" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
Active Desktop and Wallpaper:
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Active Desktop web content:
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "C:\Program Files\WindowsUpdate\kyhehex.html"
"SubscribedURL" = ""
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\
"FriendlyName" = ""
"Source" = "C:\Program Files\Windows Media Player\hofyfyves.html"
"SubscribedURL" = ""
Startup items in "Administrator" & "All Users" startup folders:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"802.11b+g USB Wireless LAN Utility" -> shortcut to: "C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe" [empty string]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
(total run time: 114 seconds, including 18 seconds for message boxes)
COMBO FIX
Administrator - 06-09-28 22:23:10.36 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Administrator\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\PSLister
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\ASKS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\ASKS~1\?asks
((((((((((((((((((((((((((((((( Files Created from 2006-08-28 to 2006-09-28 ))))))))))))))))))))))))))))))))))
2006-09-28 15:42 0 --a
C:\WINDOWS\system32\cmmgr32.exe
2006-09-23 00:16 1,233 --a
C:\WINDOWS\system32\pesca815.sys
2006-09-15 17:16 53,248 --a
C:\WINDOWS\uni_e6h.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-28 20:44
d
C:\Program Files\ewido anti-spyware 4.0
2006-09-28 20:40
d
C:\Program Files\PSDream
2006-09-28 20:40
d
C:\Program Files\Common Files
2006-09-28 15:43
d--h
C:\Program Files\WindowsUpdate
2006-09-28 15:43
d
C:\Program Files\Windows Media Player
2006-09-28 15:16
d
C:\Program Files\SUPERAntiSpyware
2006-09-28 15:16
d
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2006-09-28 15:14
d
C:\Program Files\Common Files\Wise Installation Wizard
2006-09-25 23:33
d
C:\Program Files\MSN
2006-09-12 15:49
d
C:\Program Files\RealVNC
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msc"="C:\\WINDOWS\\system32\\Microsoft.NET"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1133151974\\ee\\AOLSoftware.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\WindowsUpdate\\kyhehex.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Windows Media Player\\hofyfyves.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms0566814-7927]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms0566814-7927"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms0566814-7927.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSDream]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDream"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSDream\\PSDream.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\septpop06apsept]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="septpop06apsept"
"hkey"="HKLM"
"command"="C:\\program files\\popupwithcast\\septpop06apsept.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Ucet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ping"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\ADMINI~1\\APPLIC~1\\ASKS~1\\ping.exe\" -vt yazb"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Completion time: Thu 09/28/2006 22:25:58.87
ComboFix.txt
SUPER ANTI SPYWARE!
SUPERAntiSpyware Scan Log
Generated 09/28/2006 at 05:03 PM
Core Rules Database Version : 3094
Trace Rules Database Version: 1122
Memory threats detected : 0
Registry threats detected : 12
File threats detected : 75
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}
HKCR\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}
HKCR\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}
HKCR\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}\InprocServer32
HKCR\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}\InprocServer32#ThreadingModel
HKCR\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}\ProgID
HKCR\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}\Programmable
HKCR\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}\TypeLib
HKCR\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}\VersionIndependentProgID
C:\WINDOWS\system32\nsn155.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122389.dll
Adware.MediaMotor
C:\WINDOWS\mm06y.ini
C:\Program Files\popupwithcast\CastGen\Administrator\f4514b38a4d06.dat
C:\Program Files\popupwithcast\CastGen\Administrator
C:\Program Files\popupwithcast\CastGen\h4514b36729.dat
C:\Program Files\popupwithcast\CastGen\u4514b3694ae1.dat
C:\Program Files\popupwithcast\CastGen
C:\Program Files\popupwithcast\CastSys\log.txt
C:\Program Files\popupwithcast\CastSys
C:\Program Files\popupwithcast
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122410.exe
C:\WINDOWS\popupwithcast.exe
Trojan.WinBo32/Enhance
HKLM\Software\System\sysold
HKLM\Software\System\sysold#ms0566814-7927
HKLM\Software\System\sysold#ms0566814-7927.exe
Adware.FullContext
C:\Documents and Settings\Administrator\Local Settings\Temp\batty2.exe
C:\Program Files\PSDream\PSDream.exe
Adware.CASClient
C:\Documents and Settings\Administrator\Local Settings\Temp\cmfibula.exe
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@count4.exitexchange[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@exitexchange[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@keywordmax[1].txt
Adware.DeluxeCommunications
C:\Documents and Settings\Administrator\Local Settings\Temp\u17A.tmp
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122299.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122300.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122301.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122304.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122305.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123509.exe
Adware.ClickSpring/Yazzle
C:\Documents and Settings\Administrator\Local Settings\Temp\YazzleBundle-1281.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
Unclassified.Unknown Origin/System
C:\Program Files\PSLister\upd.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122295.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122297.exe
C:\WINDOWS\srvhmgxjkw.exe
Trojan.Drop/Gen Variant
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0121351.exe
Adware.WebNexus
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122296.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122313.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122317.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122320.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123508.exe
Trojan.YourEnhancement
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122298.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123505.exe
C:\WINDOWS\uninst108.exe
Adware.Qoologic/QoolAid
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122314.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122316.exe
Adware.webHancer
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122327.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122376.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122377.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122381.exe
Adware.NicTech Networks
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122330.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122391.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122405.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122411.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP443\A0122424.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP443\A0122429.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP443\A0122430.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123511.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123512.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123513.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123514.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123515.dll
Adware.SysMon
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122334.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123497.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123498.exe
Trojan.Downloader-SysMon
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122335.exe
Adware.Avenue Media
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP442\A0122363.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123507.exe
Adware.ClickSpring
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP444\A0122461.dll
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP444\A0122462.exe
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123500.exe
Trojan.Unknown Origin
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP444\A0122463.exe
C:\WINDOWS\srvtdmldvq.exe
C:\WINDOWS\Unist1.htm
Trojan.AC3
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123499.exe
Trojan.Downloader-Loader
C:\System Volume Information\_restore{D5CA5B52-F81E-43A6-AC75-A90435C0474D}\RP445\A0123504.exe
Worm.Rbot Variant
C:\WINDOWS\Eim03.exe
Uncheck and delete everything you find in there. (except for "My current home page")
2. You MUST delete these .html files below,(do not delete the legit folder they are in)
C:\Program Files\WindowsUpdate\kyhehex.html
C:\Program Files\Windows Media Player\hofyfyves.html
3. Submit these 2 files at --> http://virusscan.jotti.org/
and delete them if infected:
C:\WINDOWS\system32\pesca815.sys
C:\WINDOWS\uni_e6h.exe
4. Enable everything in your startup then run a scan with hijackthis and post the log.
Also let me know if the popups, voice ads if any are gone.
Scan saved at 12:27:34 AM, on 9/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1133151974\ee\AOLSoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\Oregontrail.exe.exe
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [msc] C:\WINDOWS\system32\Microsoft.NET
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133151974\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [ms0566814-7927] C:\WINDOWS\ms0566814-7927.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Ucet] "C:\DOCUME~1\ADMINI~1\APPLIC~1\ASKS~1\ping.exe" -vt yazb
O4 - Global Startup: 802.11b+g USB Wireless LAN Utility.lnk = C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pop ups and ads stoppedbut the way i log into the computer is different and i went to change it and it says i cant becuase of netware
Purityscan is again showing in your log??? or is that just a leftover entry? i thought it wasn't there in your second log.
1. Please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
Reconfigure Windows to show hidden files:
Doubleclick My Computer | Tools | Folder Options | View tab
Select “Show Hidden Files and Folders”
Uncheck “Hide extensions for known file types”
Uncheck “Hide protected operating system files” (Recommended)
Select Apply to All Folders | Yes | Apply | OK
Delete these file/folder if still present:
C:\WINDOWS\ms0566814-7927.exe
C:\program files\popupwithcast
Run Hijackthis and put a check next to these entries and with all browsers and other windows closed click "Fix Checked":
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [msc] C:\WINDOWS\system32\Microsoft.NET
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [ms0566814-7927] C:\WINDOWS\ms0566814-7927.exe
O4 - HKCU\..\Run: [Ucet] "C:\DOCUME~1\ADMINI~1\APPLIC~1\ASKS~1\ping.exe " -vt yazb
1. Please download Ewido Anti-Malware
[*]Install ewido anti-malware
[*]Launch ewido, there should be an icon on your desktop, double-click it.
[*]The program will now open to the main screen.
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
- The update will start and a progress bar will show the updates being installed.
- Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.(the status bar at the bottom will display ("Update successful")
ewido manual updates
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
4. Once in Safe Mode, Open Ewido:
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- You will be prompted to clean the first infection.
- Select "Perform action on all infections", then proceed.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.