Help Please - HJT Log here

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Sunday 24.11.2024 / 09:32

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help please - hjt log here

Browse by topic

Forums

Start a new thread

Help Please - HJT Log here

Jump to:

Posted

Message

DOug

Suspended due to non-functional email address

11. April 2006 @ 05:10

Link to this message

Got the windowsantiviruspro 2006 problem - Sigh.

Logfile of HijackThis v1.99.1
Scan saved at 13:58:13, on 11/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
D:\WINDOWS\RG91ZyBIYXl3YXJk\command.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
D:\Program Files\Network Monitor\netmon.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\mousepad10.exe
D:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\paytime.exe
D:\WINDOWS\system32\syshost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe
D:\DOCUME~1\Doug\MYDOCU~1\APPATC~1\mshta.exe
D:\WINDOWS\system32\??mantec\r?ndll.exe
C:\winstall.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\TEMP\NI.UWFX6_0001_N69M1503\setup.exe
D:\WINDOWS\TEMP\NI.UWA6P_0001_N73M0604\setup.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\TEMP\ytb2.exe
D:\Documents and Settings\Doug\Desktop\ccsetup128.exe
D:\WINDOWS\TEMP\ytb2.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - D:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=explorer.exe "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard10.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad10.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname10.exe
O4 - HKLM\..\Run: [SurfSideKick 3] D:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [webHancer Agent] D:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] D:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "D:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] D:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Ctcr] "D:\DOCUME~1\Doug\MYDOCU~1\APPATC~1\mshta.exe" -vt yazr
O4 - HKCU\..\Run: [Lvscc] D:\WINDOWS\system32\??mantec\r?ndll.exe
O4 - HKCU\..\Run: [Shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe
O4 - HKCU\..\Run: [Key] D:\DOCUME~1\Doug\LOCALS~1\Temp\1C7.tmp
O4 - HKCU\..\Run: [Win_Fixer_Free] D:\Program Files\WinFixerFree\uwinfx6.exe /scan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: directpt - D:\WINDOWS\SYSTEM32\directpt.dll
O20 - Winlogon Notify: SensSrv - D:\WINDOWS\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: Syncmgr - D:\WINDOWS\system32\j46m0ej1eho.dll
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\RG91ZyBIYXl3YXJk\command.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe

[ + quote]

This message has been edited since posting. Last time this message was edited on 11. April 2006 @ 05:11

JaPK

Senior Member

11. April 2006 @ 05:34

Link to this message

Ok, you got a massive collection of infections!
But don't worry, we'll get you cleaned =)

Cleaning Instructions

Go to Control Panel -> Add or remove programs -> Remove webHancer, WinAntiVirus if found

Download Look2Me-Destroyer -> http://www.atribune.org/ccount/click.php?id=7 and save it on desktop

IMPORTANT: Before continuing, you MUST do the following:

->Print this or save as a textfile
->Click start -> run -> services.msc -> ok
->Check that this service is running or its startuptype is automatic
Secondary logon
->Disconnect from internet (unplug your network cable)
->Close ALL antivirus programs (this is essential!)
->Close all windows before continuing.
->Double-click Look2Me-Destroyer.exe to run it.
->Put a check next to Run this program as a task.
->You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
->When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
->Once it's done scanning, click the Remove L2M button.
->You will receive a Done Scanning message, click OK.
->When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
->Your computer will then shutdown.
->Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

THEN:

Download BFU.zip -> http://www.merijn.org/files/bfu.zip
Unzip it to folder C:\BFU

Run bfu.exe ja click the web button (bluegreen button in the up-rigth corner)

Copy the following line to the Download script-window :
http://metallica.geekstogo.com/alcanshorty.bfu

Press Execute-button.

THEN:

Download SideKickFix.bat -> http://downloads.subratam.org/Lon/sidekickFix.bat
and save it to the folder C:\BFU.

Close all other windows.

Doubleclick the file sidekickFix.bat

Click YES and follow the instructions, when it asks about restarting the pc, restart it.

Post a new HijackThis log to here and a the contents of C:\Look2Me-Destroyer.txt too.

YOU ARE NOT CLEAN YET!

We'll continue the cleaning process when you post the logs =)

[ + quote]

I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 11. April 2006 @ 05:49

DOug

Suspended due to non-functional email address

11. April 2006 @ 06:14

Link to this message

Ok worked through all that, thanks bythe way :)

Any suggestions of what else to do ?

Logfile of HijackThis v1.99.1
Scan saved at 15:09:49, on 11/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe
O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DH - D:\WINDOWS\system32\lv4609hse.dll (file missing)
O20 - Winlogon Notify: directpt - D:\WINDOWS\SYSTEM32\directpt.dll
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe

[ + quote]

JaPK

Senior Member

11. April 2006 @ 09:00

Link to this message

Ok, lets clean the rest of infections.

You don't have a firewall or an antivirus on your computer. Download and install one firewall and one antivirus.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

These are good (free) antiviruses:
AVG Antivirus --> http://www.grisoft.com
Avast --> http://www.avast.com

UPDATE Ewido, but do NOT run a scan yet. ->

Cleaning instructions:

Download smitrem to your desktop -> http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Doubleclick it and press Start, smitrem folder appears to the desktop.

Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.

Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode)

Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe
O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe
O20 - Winlogon Notify: DH - D:\WINDOWS\system32\lv4609hse.dll (file missing)
O20 - Winlogon Notify: directpt - D:\WINDOWS\SYSTEM32\directpt.dll

Make your hidden files visible:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Show hidden files and folders.

Delete these folders: (if found)
D:\PROGRA~1\COMMON~1\-->ozzr
D:\WINDOWS\-->RG91ZyBIYXl3YXJk
D:\Program Files\-->Network Monitor
D:\Program Files\-->webHancer
D:\DOCUME~1\Doug\MYDOCU~1\-->APPATC~1
D:\WINDOWS\system32\-->??mantec
D:\Program Files\-->SurfSideKick
D:\Program Files\-->WinAntiVirus Pro 2006
D:\Program Files\-->WinFixerFree

Delete these files: (if found)
C:\Program Files\-->paytime.exe
D:\Documents and Settings\Doug\-->order_ivaw.exe
D:\WINDOWS\system32\-->lv4609hse.dll
D:\WINDOWS\SYSTEM32\-->directpt.dll
D:\WINDOWS\SYSTEM32\-->senssrv.dll
D:\WINDOWS\system32\-->syshost.exe

Then go to the smitrem folder on your desktop, run RunThis.bat file and follow the instructions.

Run ATF Cleaner -> Check select all -> Press Empty selected

Empty the Recycle Bin

Make your hidden files invisible again:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Do not show hidden files and folders.

Scan and clean your computer with Ewido and save the log file.

Restart your computer normally.

Post the following logs to here:
-> fresh HijackThis log
-> Ewido's log
-> contents of C:\smitfiles.txt
-> contents of C:\Look2Me-Destroyer.txt

[ + quote]

I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

DOug

Suspended due to non-functional email address

12. April 2006 @ 04:07

Link to this message

Smit Log

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 12/04/2006
The current time is: 3:19:31.74

Running from
D:\Documents and Settings\Doug\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Remove Spyware.url
Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

atmtd.dll
atmtd.dll._
svcp.csv
winsub.xml
zlbw.dll
zlbw.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 792 'explorer.exe'
Killing PID 792 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 12:59:41, on 12/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe
O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DH - D:\WINDOWS\system32\lv4609hse.dll (file missing)
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe

Look 2 Me

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 11/04/2006 14:51:01

Infected! D:\WINDOWS\system32\czsetACL.dll
Infected! D:\WINDOWS\system32\f80olid3180.dll
Infected! D:\WINDOWS\system32\fplq0335e.dll
Infected! D:\WINDOWS\system32\lv4609hse.dll
Infected! D:\WINDOWS\system32\mgjter40.dll
Infected! D:\WINDOWS\system32\rWsman.dll

Attempting to delete infected files...

Attempting to delete: D:\WINDOWS\system32\czsetACL.dll
D:\WINDOWS\system32\czsetACL.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\f80olid3180.dll
D:\WINDOWS\system32\f80olid3180.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\fplq0335e.dll
D:\WINDOWS\system32\fplq0335e.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\lv4609hse.dll
D:\WINDOWS\system32\lv4609hse.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\mgjter40.dll
D:\WINDOWS\system32\mgjter40.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\rWsman.dll
D:\WINDOWS\system32\rWsman.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C300C5FA-7357-427D-84EE-7A9DEBB0182C}"
HKCR\Clsid\{C300C5FA-7357-427D-84EE-7A9DEBB0182C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{63719493-78D9-4E04-AFC2-E1393091686B}"
HKCR\Clsid\{63719493-78D9-4E04-AFC2-E1393091686B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0B475869-0700-4B6D-9269-3FC0F630449C}"
HKCR\Clsid\{0B475869-0700-4B6D-9269-3FC0F630449C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{07F1AFAB-584A-4F66-B4A0-4137F94BDC59}"
HKCR\Clsid\{07F1AFAB-584A-4F66-B4A0-4137F94BDC59}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

ewido log
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:57:20, 12/04/2006
+ Report-Checksum: AB44ABF7

+ Scan result:

HKU\S-1-5-21-789336058-1580436667-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup
HKU\S-1-5-21-789336058-1580436667-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
[728] D:\WINDOWS\system32\directpt.dll -> Logger.Goldun.iy : Error during cleaning
[1800] D:\WINDOWS\system32\directpt.dll -> Logger.Goldun.iy : Error during cleaning
[1996] D:\WINDOWS\system32\directpt.dll -> Logger.Goldun.iy : Error during cleaning
[108] D:\WINDOWS\system32\directpt.dll -> Logger.Goldun.iy : Error during cleaning
C:\tool3.exe -> Downloader.Tiny.al : Cleaned with backup
C:\tool4.exe -> Logger.Haxspy.w : Cleaned with backup
D:\Documents and Settings\Cameron\Cookies\cameron@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Cameron\Cookies\cameron@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
D:\Documents and Settings\Cameron\Cookies\cameron@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
D:\Documents and Settings\Cameron\Cookies\cameron@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
D:\Documents and Settings\Cameron\Cookies\cameron@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
D:\Documents and Settings\Cameron\Cookies\cameron@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
D:\Documents and Settings\Cameron\Cookies\cameron@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.19:D:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.20:D:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.21:D:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.26:D:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.28:D:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.29:D:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.30:D:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.31:D:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.32:D:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
D:\Documents and Settings\Doug\Cookies\doug@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
D:\Documents and Settings\Doug\Cookies\doug@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
D:\WINDOWS\system32\__delete_on_reboot__directpt.dll -> Logger.Goldun.iy : Cleaned with backup

::Report End

[ + quote]

JaPK

Senior Member

12. April 2006 @ 06:17

Link to this message

Ok, still something that needs cleaning.

You haven't installed a firewall or antivirus, install those now.

Cleaning instructions

Fix the following entries with HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe
O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe
O20 - Winlogon Notify: DH - D:\WINDOWS\system32\lv4609hse.dll (file missing)
O20 - Winlogon Notify: directpt - directpt.dll (file missing)

Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.

Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.

Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)

c:\secure32.html
C:\Program Files\paytime.exe
D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe
D:\Documents and Settings\Doug\order_ivaw.exe

Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.

(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)

Post a new HijackThis log to here.

[ + quote]

I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

DOug

Suspended due to non-functional email address

12. April 2006 @ 06:37

Link to this message

Logfile of HijackThis v1.99.1
Scan saved at 15:35:58, on 12/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe

[ + quote]

JaPK

Senior Member

12. April 2006 @ 06:45

Link to this message

Ok, still something.

Cleaning instructions:

Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode)

Run HijackThis and fix this entry:
O20 - Winlogon Notify: directpt - directpt.dll (file missing)

Make your hidden files visible:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Show hidden files and folders.

Delete this folder:
D:\PROGRA~1\COMMON~1\ozzr

Delete this file:
D:\WINDOWS\system32\directpt.dll

Empty the Recycle Bin

Restart your computer normally.

Download F-Secure Blacklight to your desktop -> http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe

Run a scan with Blacklight, a log named fsbl**********.log will appear to your desktop.
DO not rename/remove anything with blacklight yet.

Post the following logs to here:

1. New HijackThis log
2. contents of fsbl**********.log (from your desktop)

You also had a keylogger on your computer so you should change all you passwords. (banking, shopping etc.)

And you don't have an antivirus or firewall on your pc. Install those now.

[ + quote]

I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 12. April 2006 @ 06:50

Start a new thread


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.