Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
w32/stration virus w32/stration virus
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
Page 1 of 2 1 2 >
 
Thread Tools
Old 11-03-2006, 06:43 AM   #1 (permalink)
Registered User
 
Join Date: Mar 2005
Location: Halifax, NS Canada
Posts: 108
OS: Win XP


w32/stration virus
Hi all,

I have a computer that I'm working on with the stration virus, which McAfee keeps says it has cleaned. E1.dll is the most frequent file that it comes up with as being infected.

Windows updates won't work either. I saw some other people say run hijackthis sooooo....
Logfile of HijackThis v1.99.1
Scan saved at 10:41:09 AM, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\bdetienne\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Find a Notebook, Desktop, Server, Printer, Software, Service, Monitor or TV at Dell.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Internet Explorer Search Assistant
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = accoona | SuperTarget Your Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.med.dal.ca/medix
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Find a Notebook, Desktop, Server, Printer, Software, Service, Monitor or TV at Dell.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Find a Notebook, Desktop, Server, Printer, Software, Service, Monitor or TV at Dell.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Internet Explorer Search Assistant
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = accoona | SuperTarget Your Search
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133183348937
O20 - AppInit_DLLs: e1.dll libdcabi.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: vsutmsgi - C:\WINDOWS\system32\vsutmsgi.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
smorley is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-04-2006, 04:28 AM   #2 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


Hello and welcome to TSF

You may wish to Subscribe to this thread (Thread Tools) so that you are alerted when you receive a reply.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.



------------------



UPLOAD SUSPICIOUS FILE

Please visit this site and upload the following file:


C:\WINDOWS\system32\ vsutmsgi.dll


Copy and paste the results from the scanners into your reply



-------------------


DOWNLOADS

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.



-----------------



Download AVG Anti-Spyware
  • Install AVG Anti-Spyware
  • Double-click the icon on Desktop to launch AVG Anti-Spyware
You will need to update AVG Anti-Spyware to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.



---------------------




  1. Download and run - bfu.zip
  2. Checkmark the following boxes:
    • Use settings specified in script for the above option
    • Show log after script ends
  3. Click the Web button located on the top right corner
  4. Copy/Paste this url into the address bar of the Download script window:

    http://metallica.geekstogo.com/alcanshorty.bfu

  5. Execute the script by clicking the Execute button.
  6. When it finishes running, click the Save button for a copy of the log
  7. Post the log created by the script when you have completed the fix


--------------------



SAFE MODE

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.


----------------------


ADD/REMOVE PROGRAMS

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):


Accoona


-----------------------


FIXES WITH HIJACK THIS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any)


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Internet Explorer Search Assistant
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = accoona | SuperTarget Your Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Internet Explorer Search Assistant
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = accoona | SuperTarget Your Search
R3 - Default URLSearchHook is missing
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O20 - AppInit_DLLs: e1.dll libdcabi.dll


Please remember to close all other windows, including browsers then click Fix checked.


------------------------


FILE DELETIONS

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

Locate any files which do not have the full path listed with them via Start > Search > All Files and Folders.


C:\Program Files\ Accoona
e1.dll
libdcabi.dll


------------------------


CLEANUP!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.
Click OK
Press the CleanUp! button to start the program. DO NOT reboot/logoff when prompted.


-------------------------


AVG ANTI-SPYWARE

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
Restart in normal mode.



--------------------------



ONLINE SCAN

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


--------------------


UPDATE JAVA

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.


------------------


Paste the Panda Scan report here together with a new HiJackThis log, the log from AVG Anti-Spyware and the log from the BFU tool. Also post the report from scanning the suspicious file.
__________________
Last edited by Hustler24 : 11-04-2006 at 04:30 AM.
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-06-2006, 06:35 AM   #3 (permalink)
Registered User
 
Join Date: Mar 2005
Location: Halifax, NS Canada
Posts: 108
OS: Win XP


[quote=Hustler24;686688]Please visit this site and upload the following file:


C:\WINDOWS\system32\ vsutmsgi.dll


Copy and paste the results from the scanners into your reply

Hello and welcome to TSF

You may wish to Subscribe to this thread (Thread Tools) so that you are alerted when you receive a reply.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.



------------------



UPLOAD SUSPICIOUS FILE

My Results:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
smorley is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-06-2006, 06:48 AM   #4 (permalink)
Registered User
 
Join Date: Mar 2005
Location: Halifax, NS Canada
Posts: 108
OS: Win XP


Brute Force Log:

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 10:45:02 AM, on 11/6/2006

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Deskbar\deskbar.dll|1 (file not found)
Failed: DllUnregister \asappsrv.dll|1 (file not found)
Failed: DllUnregister \MyToolBar.dll (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Failed: RegDelValue HKCU\software\microsoft\windows\currentversion\policies\explorer\run|{84c4d3ae-0bb0-1033-0729-050001} (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2p networking (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|SystemTools (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|eventwvr (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|truetype (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|0mcamcap (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|mysvcig38 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\update.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\services.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\activate.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\MyToolBar.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\update.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\services.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\activate.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\MyToolBar.dll (operation failed)
Failed: FolderDelete C:\Program Files\toolbar888 (folder not found)
Failed: FolderDelete C:\Program Files\e-mailpaysu toolbar (folder not found)
Failed: FolderDelete C:\Program Files\EMUSIC TOOLBAR (folder not found)
Failed: FolderDelete C:\Program Files\find dvd toolbar (folder not found)
Failed: FolderDelete C:\Program Files\GULESIDER VERKTøYLINJE (folder not found)
Failed: FolderDelete C:\Program Files\sesam-p4 toolbar (folder not found)
Failed: FolderDelete C:\Program Files\slownik ling (folder not found)
Failed: FolderDelete C:\Program Files\p2pnetworks (folder not found)
Failed: FileDelete C:\DOCUME~1\BDETIE~1\LOCALS~1\Temp\AcrAA.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\BDETIE~1\LOCALS~1\Temp\AcrAC.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\BDETIE~1\LOCALS~1\Temp\AcrBC.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\BDETIE~1\LOCALS~1\Temp\AcrC6.tmp (operation failed)
Failed: FolderDelete C:\DOCUME~1\BDETIE~1\LOCALS~1\Temp\NAILogs (operation failed)
Failed: FolderDelete C:\DOCUME~1\BDETIE~1\LOCALS~1\Temp\Temporary Directory 1 for bfu.zip (operation failed)
Failed: FileDelete C:\DOCUME~1\BDETIE~1\LOCALS~1\Temp\~DFA413.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\PSCastor (folder not found)
Failed: FolderDelete C:\Program Files\CMIntex (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\Snowball Wars (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FolderDelete C:\WINDOWS\system32\crunner (folder not found)
Failed: FolderDelete C:\Program Files\PECarlin (folder not found)
Failed: FolderDelete C:\Program Files\AXVenore (folder not found)
Failed: FolderDelete C:\Program Files\SDVita (folder not found)
Failed: FolderDelete C:\Program Files\EQBranch (folder not found)
Failed: FolderDelete C:\Program Files\EQArticle (folder not found)
Failed: FolderDelete C:\Program Files\PSHope (folder not found)
Failed: FolderDelete C:\Program Files\Batty (folder not found)
Failed: FolderDelete C:\Program Files\Batty2 (folder not found)
Failed: FolderDelete C:\Program Files\AXFibula (folder not found)
Failed: FolderDelete C:\Program Files\CMFibula (folder not found)
Failed: FolderDelete C:\Program Files\PSLister (folder not found)
Failed: FolderDelete C:\Program Files\PSCloner (folder not found)
Failed: FolderDelete C:\Program Files\PSDream (folder not found)
Failed: FolderDelete C:\Program Files\cmapp (folder not found)
Failed: FolderDelete C:\Program Files\cmman (folder not found)
Failed: FolderDelete C:\Program Files\cmsystem (folder not found)
Failed: FolderDelete C:\Program Files\fcengine (folder not found)
Failed: FolderDelete C:\Program Files\wincmapp (folder not found)
Failed: FolderDelete C:\Program Files\Deskbar\Cache (folder not found)
Failed: FolderDelete C:\Program Files\popupwithcast (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\cloader (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.
smorley is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-06-2006, 08:21 AM   #5 (permalink)
Registered User
 
Join Date: Mar 2005
Location: Halifax, NS Canada
Posts: 108
OS: Win XP


FILE DELETIONS

C:\Program Files\Accoona - didn't exist
e1.dll - wouldn't let me delete, said right protected or in use
libdcabi.dll - ditto
smorley is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-06-2006, 10:07 AM   #6 (permalink)
Registered User
 
Join Date: Mar 2005
Location: Halifax, NS Canada
Posts: 108
OS: Win XP


Panda Software was clean
smorley is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-06-2006, 10:09 AM   #7 (permalink)
Registered User
 
Join Date: Mar 2005
Location: Halifax, NS Canada
Posts: 108
OS: Win XP


Hijack this log after all that reads like this:

Logfile of HijackThis v1.99.1
Scan saved at 2:09:14 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\bdetienne\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Find a Notebook, Desktop, Server, Printer, Software, Service, Monitor or TV at Dell.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.med.dal.ca/medix
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Find a Notebook, Desktop, Server, Printer, Software, Service, Monitor or TV at Dell.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Find a Notebook, Desktop, Server, Printer, Software, Service, Monitor or TV at Dell.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [brwdiag] C:\WINDOWS\system32\brwconf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133183348937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: e1.dll libdcabi.dll confaud.dll audstat.dll confbrw.dll brwstat.dll
O20 - Winlogon Notify: audmgr - audmgr32.dll (file missing)
O20 - Winlogon Notify: brwmgr - C:\WINDOWS\SYSTEM32\brwmgr32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: vsutmsgi - C:\WINDOWS\system32\vsutmsgi.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
smorley is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-06-2006, 03:05 PM   #8 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


Please post your AVG antispyware log.
__________________
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-07-2006, 04:53 AM   #9 (permalink)
Registered User
 
Join Date: Mar 2005
Location: Halifax, NS Canada
Posts: 108
OS: Win XP


Sorry about that:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:12:27 PM 11/6/2006

+ Scan result:



HKU\S-1-5-21-753900948-4145300520-3361387928-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup (quarantined).
HKU\S-1-5-21-753900948-4145300520-3361387928-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{364B6276-C6C1-40B6-A6D7-6C48871FD707} -> Adware.Accoona : Cleaned with backup (quarantined).
HKU\S-1-5-21-753900948-4145300520-3361387928-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0026529.exe -> Worm.Warezov : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0026530.dll -> Worm.Warezov : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ipxwkbdp.exe -> Worm.Warezov : Cleaned with backup (quarantined).
C:\WINDOWS\system32\libdcabi.dll -> Worm.Warezov : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP352\A0026497.dll -> Worm.Warezov.dd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\danisxs.dll -> Worm.Warezov.dd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0026240.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0026290.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0026312.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0026358.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0026382.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0026387.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0026547.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vsutmsgi.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
[1496] C:\WINDOWS\System32\vsutmsgi.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
C:\WINDOWS\system32\audconf.exe -> Worm.Warezov.dq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\audmgr32.dll -> Worm.Warezov.dq : Cleaned with backup (quarantined).
C:\WINDOWS\msserv.exe -> Worm.Warezov.eq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0026237.exe -> Worm.Warezov.et : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0026541.exe -> Worm.Warezov.et : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0026542.exe -> Worm.Warezov.et : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vsutmsgi.dll -> Worm.Warezov.et : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0026236.exe -> Worm.Warezov.ev : Cleaned with backup (quarantined).
C:\WINDOWS\system32\audstat.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).
C:\WINDOWS\system32\confaud.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).
[204] C:\WINDOWS\system32\confaud.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).
[248] C:\WINDOWS\system32\confaud.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).
[260] C:\WINDOWS\system32\confaud.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).
[416] C:\WINDOWS\system32\confaud.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).
[476] C:\WINDOWS\system32\confaud.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).
[524] C:\WINDOWS\system32\confaud.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).
[832] C:\WINDOWS\system32\confaud.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).
[988] C:\WINDOWS\system32\confaud.dll -> Worm.Warezov.ex : Cleaned with backup (quarantined).


::Report end
smorley is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-07-2006, 10:46 AM   #10 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


SAFE MODE

Please reboot into Safe Mode as directed earlier and stay in Safe Mode until directed later in the fix.


------------------



HIJACK THIS FIXES


Fix the following lines in Hijack This, as you did earlier:


O4 - HKLM\..\Run: [brwdiag] C:\WINDOWS\system32\brwconf.exe
O20 - AppInit_DLLs: e1.dll libdcabi.dll confaud.dll audstat.dll confbrw.dll brwstat.dll
O20 - Winlogon Notify: audmgr - audmgr32.dll (file missing)
O20 - Winlogon Notify: brwmgr - C:\WINDOWS\SYSTEM32\brwmgr32.dll
O20 - Winlogon Notify: vsutmsgi - C:\WINDOWS\system32\vsutmsgi.dll (file missing)


--------------------


FILE DELETIONS


Locate the following files via Start > Search > All Files and Folders , or manually, and delete them:


C:\WINDOWS\system32\ brwconf.exe
e1.dll
libdcabi.dll
confaud.dll
audstat.dll
confbrw.dll
brwstat.dll
C:\WINDOWS\SYSTEM32\ brwmgr32.dll


--------------------


NORMAL MODE

Reboot into Normal mode.


--------------------


ONLINE SCAN

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


-----------------------------


Post the Kaspersky log and a new HJT log.
__________________
Last edited by Hustler24 : 11-07-2006 at 10:47 AM.
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-08-2006, 11:25 AM   #11 (permalink)
Registered User
 
Join Date: Mar 2005
Location: Halifax, NS Canada
Posts: 108
OS: Win XP


w32/stration virus
[quote=Hustler24;690107] SAFE MODE

When I perform the the removals in Hijackthis, I get the following error:

An unexpected error has occured at procedure: modBackup_MakeBackup(sitem=o20 - appInit_dllS:e1.dll,libdcabi.dll, confaud.dll audstat.dll confbrw.dll brwstat.dll) Error #5 - Invalid procedure call or arguement

They still removed after I clicked on the error.
--------------------


FILE DELETIONS

I got all the files deleted, brwconf.exe and e1.dll deleted simply.
These 3 :libdcabi.dll ,confaud.dll ,audstat.dll were not found.

These 3: confbrw.dll ,brwstat.dll,C:\WINDOWS\SYSTEM32\brwmgr32.dll I couldn't delete, I had to rename, then reboot, and then they would delete.


Kasperski is still running as I type this.
smorley is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 11-08-2006, 12:17 PM   #12 (permalink)
Registered User
 
Join Date: Mar 2005
Location: Halifax, NS Canada
Posts: 108
OS: Win XP


Kasperski log:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 08, 2006 4:15:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/11/2006
Kaspersky Anti-Virus database records: 239499


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases false

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 51542
Number of viruses found 4
Number of infected objects 13 / 0
Number of suspicious objects 0
Duration of the scan process 00:54:26

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20061108_Time-145710437_EnterceptExceptions.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20061108_Time-145710437_EnterceptRules.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_BRENDADETIENNE.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_BRENDADETIENNE.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\bdetienne\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\bdetienne\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped

C:\Documents and Settings\bdetienne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\bdetienne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\bdetienne\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\bdetienne\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\bdetienne\ntuser.dat Object is locked skipped

C:\Documents and Settings\bdetienne\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\Us