Infected computer. Please help!

DaTwinkie · 03-01-2006, 10:41 PM

Hello,

I can't even use my computer unless I run it in safe mode. I used Ad-Aware and Spybot Search & Destroy and the problem still won't go away. Here's a copy of my HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:29 PM, on 3/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlfaCleaner\AlfaCleaner.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\System32\msnscps.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [rscn] C:\WINDOWS\System32\bum587.exe ymmud
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll
O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Please help me if you can... Thanks!

tetonbob · 03-02-2006, 08:35 AM

This system is seriously infected, and there's several reasons why.

You have no Anti Virus protection program.

Your Windows XP is unpatched,

leaving all the security flaws available for malware to exploit. Windows XP is at Service Pack 2,and has been for a couple of years now, meaning there are many patches even beyond SP2 that are open to exploit on this system.

Can you use Safe Mode with Networking on this machine? Are you posting from the infected machine, or another? This will determine the approach taken.

DaTwinkie · 03-02-2006, 07:01 PM

Currently, I am on the infected computer using Safe Mode with Networking.

tetonbob · 03-02-2006, 09:10 PM

This is going to take you some time. Be sure to complete each and every step.

Please download & install the trial version of Kaspersky Personal Pro
Have it update it's virus definitions & then exit the program.

Please download these additional files/programs. Do not run them unless instructed to do so.

smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

*Note* Alternate download sites for smitrem... http://www.downloads.subratam.org/smitRem.exe
http://www.bleepingcomputer.com/file...ar/smitRem.exe

DelDomains.inf
Right-click and select Save Target As - save it to your desktop.

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Download and install CleanUp!
NOTE: Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, if it does please do so.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

Do a full system scan with Kaspersky & have it disinfect all that it finds.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\System32\msnscps.dll
O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [rscn] C:\WINDOWS\System32\bum587.exe ymmud
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following Files/Folders if they exist:

C:\WINDOWS\System32\msnscps.dll
c:\windows\eee2.exe
C:\WINDOWS\sysldr32.exe
C:\WINDOWS\sysvx_.exe
C:\WINDOWS\inet20004
C:\WINDOWS\System\svwhost.exe
C:\WINDOWS\System32\bum587.exe
C:\WINDOWS\sachostx.exe
C:\WINDOWS\System32\intell321.exe
C:\Program Files\AlfaCleaner
C:\WINDOWS\SYSTEM32\msupdate32.dll

Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall"

Restart in normal mode if possible.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

IMPORTANT!:

You will need to use the direct link to SP1 below.

Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

**Note** If you're having trouble locating the service pack SP1a here is a direct link to download it from..

http://download.microsoft.com/downlo...p1a_en_x86.exe

Run a new scan with HJT, in normal mode if possible now, save the log and post it.

Thank you for your cooperation.

Return with logs from:

Ewido
smitfiles.txt
Kaspersky online scan
HJT

DaTwinkie · 03-03-2006, 08:11 PM

Hi,

Here's the ewido report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:54:19 AM, 3/3/2006
+ Report-Checksum: E99156EE

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\{78364D99-A640-4ddf-B91A-67EFF8373045} -> Trojan.Brospy.c : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{78364D99-A640-4ddf-B91A-67EFF8373045} -> Trojan.Brospy.c : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78364D99-A640-4ddf-B91A-67EFF8373045} -> Trojan.Brospy.c : Cleaned with backup
[632] C:\WINDOWS\system32\msupdate32.dll -> Downloader.Delf.aic : Cleaned with backup
C:\Program Files\AIM\winnfvn32.dll -> Trojan.Small : Cleaned with backup
C:\WINDOWS\eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\LastGood\webhdll.dll -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\PMET.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\sachostx.exe -> Logger.Small.fe : Cleaned with backup
C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup
C:\WINDOWS\system\svchost.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svwhost.exe -> Backdoor.Agent.qr : Cleaned with backup
C:\WINDOWS\system32\bum587.exe -> Downloader.Small.cjd : Cleaned with backup
C:\WINDOWS\system32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
C:\WINDOWS\system32\msupdate32.dll -> Downloader.Delf.aic : Cleaned with backup
C:\WINDOWS\system32\msvcrl.dll -> Logger.Small.fe : Cleaned with backup
C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\system32\sysvx.exe -> Worm.Locksky.m : Cleaned with backup
C:\WINDOWS\system32\tio252.dll -> Downloader.Small.cjc : Cleaned with backup
C:\WINDOWS\system32\tio253.dll -> Downloader.Small.cjc : Cleaned with backup
C:\WINDOWS\system32\tio314.dll -> Downloader.Small.cjc : Cleaned with backup
C:\WINDOWS\system32\tio40.dll -> Downloader.Small.cjc : Cleaned with backup
C:\WINDOWS\system32\tio601.dll -> Downloader.Small.cjc : Cleaned with backup
C:\WINDOWS\system32\tio724.dll -> Downloader.Small.cjc : Cleaned with backup
C:\WINDOWS\system32\tio744.dll -> Downloader.Small.cjc : Cleaned with backup
C:\WINDOWS\system32\tio996.dll -> Downloader.Small.cjc : Cleaned with backup
C:\WINDOWS\sysvx_.exe -> Worm.Locksky.aj : Cleaned with backup
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup
D:\Program Files\GlobalSCAPE\CuteFTP\CTInstall.exe -> Adware.TimeSink : Cleaned with backup

::Report End

Here's the smitfiles.txt:

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 03/03/2006
The current time is: 0:15:38.81

Running from
C:\Documents and Settings\Andrew J Yu\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

oleext.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 312 'explorer.exe'
Killing PID 312 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

oleext.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

Here's the HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:10:44 PM, on 3/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141402189765
O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

tetonbob · 03-04-2006, 06:57 AM

Good job!

It appears from your log you now have normal mode access, correct?

I see from your log you were able to download the Kaspersky online scanner ActiveX controls...were you able to run the scan, and were there any results?

Please post them here if so. If you have not run the scan, please do so now and post the results.

Also run this online scan, please. This system was very compromised, and each scanner may find what the other may not see.....

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

Post those results here as well.

How is your system behaving now?

DaTwinkie · 03-06-2006, 09:09 PM

Hi,

I am back on Windows XP using normal startup now, but my computer is still running slowly and it takes a lot longer now using Internet Explorer.

Nonetheless, here are the reports:

Kaspersky -

Statistics:
Start time: 3/6/2006 5:56:59 PM
Completion time: 3/6/2006 7:47:09 PM
Objects scanned: 281884
Dangerous objects detected: 5
Viruses disinfected: 0
Objects deleted: 0
Objects quarantined: 0

Settings:
Objects to be scanned:
My Computer
Actions to be performed with dangerous objects:
Prompt user for action once the scan is completed
Actions to be performed with suspicious objects:
Prompt user for action once the scan is completed
Scan level:
Recommended:
objects to be scanned - all files
archives - scanned
packed files - scanned
self-extracting archives - scanned
OLE-objects - scanned
alternate NTFS streams - scanned
mail format files - not scanned
mail databases - not scanned
size limit - no limit
time limit - off
password - not prompted
scan acceleration - iChecker/iStreams
Exclusions from the scan scope:
Option not used

Report:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ABetterInternetAurora.zip\mm63.ocx password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ABetterInternetAurora.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip\optimize.exe password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaMotor.zip\affbun.txt password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaMotor.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaMotor1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaMotor1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:44 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaMotor2.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaMotor2.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaMotor3.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaMotor3.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SearchCentrix.zip\spoolsvv.exe password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SearchCentrix.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SearchCentrix1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SearchCentrix1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\qvxt4.game password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip\qvxt3.game password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip\qvxt2.game password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip\maxdd.game password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip\vxgame4.exe password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip\vxgame1.exe password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip\svchost.exe password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:45 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip\vxgamet3.exe password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip\vxgamet2.exe password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip\vxgamet1.exe password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff.zip\SpySheriff.lnk password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip\SpySheriff.lnk password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff10.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff10.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff11.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff11.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff2.zip\vxt4.game password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff2.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff3.zip\vxt2.game password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff3.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff4.zip\vx6.game password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff4.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff5.zip\vx4.game password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff5.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff6.zip\vx2.game password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff6.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff7.zip\vx1.game password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff7.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff8.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff8.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff9.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallOverride.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallOverride.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:46 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallOverride1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallOverride1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterSPUpdate.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterSPUpdate.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterSPUpdate1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterSPUpdate1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterUpdateDisableNotify.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterUpdateDisableNotify.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterUpdateDisableNotify1.zip\sbRecovery.reg password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterUpdateDisableNotify1.zip\sbRecovery.ini password protected, has not been processed 3/6/2006 5:57:47 PM
C:\Documents and Settings\Andrew J Yu\Desktop\aimfix_quarantine\29548_scvhost.exe.bak is a Trojan Backdoor.Win32.Aimbot.ch 3/6/2006 6:01:45 PM
C:\Documents and Settings\Andrew J Yu\Desktop\aimfix_quarantine\29548_scvhost.exe.bak object could not be disinfected, disinfection postponed 3/6/2006 6:01:45 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck1.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt11.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt12.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt13.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt21.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt22.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt23.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt31.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt32.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt33.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt41.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt42.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt43.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt51.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt52.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt53.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt61.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt62.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\main.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\preview.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp password protected, has not been processed 3/6/2006 6:23:31 PM
C:\WINDOWS\system32\kernels8.exe is a Trojan Trojan-Downloader.Win32.Tibs.cv 3/6/2006 6:51:39 PM
C:\WINDOWS\system32\kernels8.exe object could not be disinfected, disinfection postponed 3/6/2006 6:51:39 PM
C:\WINDOWS\system32\sachostp.exe is infected with a virus Packed.Win32.Tibs 3/6/2006 6:53:16 PM
C:\WINDOWS\system32\sachostp.exe object could not be disinfected, disinfection postponed 3/6/2006 6:53:16 PM
C:\WINDOWS\system32\vxgamet4.exe7680.exe is a Trojan Trojan-Proxy.Win32.Agent.eu 3/6/2006 6:53:46 PM
C:\WINDOWS\system32\vxgamet4.exe7680.exe object could not be disinfected, disinfection postponed 3/6/2006 6:53:46 PM
C:\WINDOWS\system32\wininet.old is infected with a virus Virus.Win32.Nsag.b 3/6/2006 6:53:53 PM
C:\WINDOWS\system32\wininet.old object could not be disinfected, disinfection postponed 3/6/2006 6:53:53 PM

Panda -

Incident Status Location

Potentially unwanted tool:application/alfacleaner Not disinfected C:\Documents and Settings\Andrew J Yu\Application Data\AlfaCleaner
Adware:adware/alfacleaner Not disinfected Windows Registry
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@overture[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@questionmarket[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@overture[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@questionmarket[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew J Yu\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew J Yu\Desktop\smitRem.exe[Process.exe]

tetonbob · 03-06-2006, 09:53 PM

I'm not surprised this system is slow....you've been seriously infected, and it may just be too messed up to get back to what you may have been used to. We'll do our best.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

When files found by other scanners are in the Recovery directory inside the Spybot-S&D directory, it is only a backup. It is no longer of any harm there, as the file won't be loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge the files.

------------------------------------------------------------------

Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies

------------------------------------------------------------------

I know you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix.

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

---------------------------------------------------------------

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

---------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

---------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------

Delete the following Files/Folders if they exist:

C:\Documents and Settings\Andrew J Yu\Application Data\AlfaCleaner
C:\WINDOWS\system32\kernels8.exe
C:\WINDOWS\system32\sachostp.exe
C:\WINDOWS\system32\vxgamet4.exe7680.exe
C:\WINDOWS\system32\wininet.old
C:\Windows\System32\mswinb32.exe
C:\Windows\System32\mswinb32.dll
C:\Windows\System32\mswinf32.exe
C:\Windows\System32\mswinf32.dll
C:\Windows\System32\page.htm
C:\Windows\System32\oleext.dll

------------------------------------------------------------------

Run CleanUp once again, using the same settings as before.

------------------------------------------------------------------

Boot to normal mode now.

---------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------

Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately):

alphacleaner
AlphaCleaner

Save the file/files and post the results in the forum.

------------------------------------------------------------------

That Kaspersky log looks like it's from the onboard AV program, not the online scanner.....is that the case?

------------------------------------------------------------------

Please return with logs from:

Ewido
HJT

DaTwinkie · 03-07-2006, 08:37 PM

Hi,

It seems I didn't post the right Kaspersky log. I hope that this is the right one now...

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, March 07, 2006 20:32:05
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 8/03/2006
Kaspersky Anti-Virus database records: 180755
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 85348
Number of viruses found: 7
Number of infected objects: 22
Number of suspicious objects: 0
Duration of the scan process: 3970 sec

Infected Object Name - Virus Name
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0043868.exe Infected: Trojan-Downloader.Win32.Tibs.cv
C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0043922.old Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0049988.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0056160.exe Infected: Packed.Win32.Tibs
C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0056534.exe Infected: Trojan-Proxy.Win32.Agent.eu
D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN/CTInstall.exe Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN/SimpleRegistration.dll Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN/tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN/TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN/CTInstall.exe Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN/SimpleRegistration.dll Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN/tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN/TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip Infected: not-a-virus:AdWare.Win32.TimeSink
D:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603
D:\Program Files\GlobalSCAPE\CuteFTP\TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink

Scan process completed.

Here is the ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:55:48 PM, 3/7/2006
+ Report-Checksum: 44C2F1F5

+ Scan result:

No infected objects found.

::Report End

Here's the HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:35 PM, on 3/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141402189765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

tetonbob · 03-07-2006, 08:55 PM

Hi DaTwinkie -

Before I offer the next step, please perform the requested regsearch from my previous post.

DaTwinkie · 03-09-2006, 07:43 PM

Hi Tetonbob,

I ran the regsearch and it said it could not find any files called AlphaCleaner.

Is that what you wanted to know?

-DaTwinkie

tetonbob · 03-09-2006, 07:56 PM

And you ran it with both spellings?

Panda seems to think it's in your registry....if no finds, I'll have a fix for you soon.

DaTwinkie · 03-09-2006, 10:18 PM

Yeah, I tried multiple spellings of the word and the program didn't find anything regarding AlphaCleaner.

tetonbob · 03-09-2006, 10:27 PM

Make sure you have the latest version of Spybot (1.4), update it's definitions, and run a scan in safe mode. Have it fix whatever it may find.

While in safe mode......

Make sure hidden files are still visible.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following Files/Folders if they exist:

D:\Program Files\mIRC\download\cute_ftp_4_and_crack
D:\Program Files\GlobalSCAPE\CuteFTP\TSUninstaller.exe

Reboot into normal mode.

Run Panda Online scan once again....

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

Post a new HJT log, along with the Panda scan.

DaTwinkie · 03-10-2006, 11:58 PM

Hi tetonbob,

Here's a copy of the Panda activescan:

Incident Status Location

Potentially unwanted tool:application/alfacleaner Not disinfected C:\Documents and Settings\Andrew J Yu\Application Data\AlfaCleaner
Adware:adware/alfacleaner Not disinfected Windows Registry
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@overture[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@questionmarket[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@overture[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@questionmarket[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew J Yu\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew J Yu\Desktop\smitRem.exe[Process.exe]

Here's a copy of the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:53:44 PM, on 3/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe"

/minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsof...?1141402189765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/actives...ree/asinst.cab
O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll

(file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Finally, I ran another search on the regsrch.vbs program and tried the word "Alfa" and this is what it came up with...

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "alfa" 3/10/2006 11:47:59 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfa-search.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com\www]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfa-search.com]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com\www]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfa-search.com]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com\www]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfa-search.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com\www]

I hope this helps...

tetonbob · 03-11-2006, 08:00 AM

Create a uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

DaTwinkie · 03-11-2006, 12:01 PM

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.5
AOL Instant Messenger
Borland C++Builder 4
Borland C++Builder 6
BroadJump Client Foundation
CleanUp!
Dell ResourceCD
Easy CD Creator 5 Basic
ewido anti-malware
HijackThis 1.99.1
hp deskjet 5100
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
Intel(R) PRO Network Adapters and Drivers
iRiver Manager
iRiver Updater
J2SE Runtime Environment 5.0 Update 4
Kaspersky Anti-Virus Personal Pro
Kaspersky On-line Scanner
LimeWire 4.9.33
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Shockwave Player
Microsoft Office Professional Edition 2003
Microsoft XML Parser and SDK
mIRC
MPEG Joiner version 2.0
Nero 6 Ultra Edition
NVIDIA Drivers
Panda ActiveScan
PowerDVD
QuickTime
RealPlayer
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Windows Installer 3.0 (KB884016)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q817606
Windows XP Service Pack 1a
Yahoo! Install Manager

tetonbob · 03-11-2006, 03:16 PM

OK, we're digging around for AlfaCleaner because it's so pernicious....it's not installed, but parts are being reported onboard still. Please do this:

Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies.

Search for this file:

C:\Windows\uninstDsk.exe

If it's present, go to safe mode, and double click on it.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Navigate to this folder, and delete it:

C:\Documents and Settings\Andrew J Yu\Application Data\ AlfaCleaner

Please tell me if you cannot find it, or if it resists deletion. Panda says it's present still, I've listed it once before for deletion.

Run regsearch for the string:

Desktop Uninstall

Post the results of the regsearch, along with a new HJT log

DaTwinkie · 03-12-2006, 01:06 PM

I can't seem to find the uninstDsk.exe file.

Also, I cannot find the AlfaCleaner under

C:\Documents and Settings\Andrew J Yu\Application Data\AlfaCleaner

I tried running the regsearch with Desktop Uninstall and it said it couldn't find it.

Here's the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1

05 PM, on 3/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141402189765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

tetonbob · 03-12-2006, 02:11 PM

Ok, humor me...this little tool will be faster to tell if the folder is still there than another Panda scan is.

It may be super hidden, which we can take care of with a batch file.

Download fl.zip
Extract the contents to a new folder on your Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

Your logs are essentially clean, this is just tidying up.

03-01-2006, 10:41 PM	#1 (permalink)
DaTwinkie Registered User Join Date: Mar 2006 Posts: 15 OS: Win XP	Infected computer. Please help! Hello, I can't even use my computer unless I run it in safe mode. I used Ad-Aware and Spybot Search & Destroy and the problem still won't go away. Here's a copy of my HiJack This log: Logfile of HijackThis v1.99.1 Scan saved at 10:40:29 PM, on 3/1/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AlfaCleaner\AlfaCleaner.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\System32\msnscps.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s O4 - HKLM\..\Run: [rscn] C:\WINDOWS\System32\bum587.exe ymmud O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe" O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Please help me if you can... Thanks!

03-02-2006, 08:35 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	This system is seriously infected, and there's several reasons why. You have no Anti Virus protection program. Your Windows XP is unpatched, leaving all the security flaws available for malware to exploit. Windows XP is at Service Pack 2,and has been for a couple of years now, meaning there are many patches even beyond SP2 that are open to exploit on this system. Can you use Safe Mode with Networking on this machine? Are you posting from the infected machine, or another? This will determine the approach taken. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-02-2006, 09:10 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	This is going to take you some time. Be sure to complete each and every step. Please download & install the trial version of Kaspersky Personal Pro Have it update it's virus definitions & then exit the program. Please download these additional files/programs. Do not run them unless instructed to do so. smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Note Alternate download sites for smitrem... http://www.downloads.subratam.org/smitRem.exe http://www.bleepingcomputer.com/file...ar/smitRem.exe DelDomains.inf Right-click and select Save Target As - save it to your desktop. To use: Right-click and select....... Install (no need to restart) Note This will remove all entries in the "Trusted Zone" Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Download and install CleanUp! NOTE: Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click OK Press the CleanUp! button to start the program. It may ask you to log-off/reboot at the end, if it does please do so. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. Do a full system scan with Kaspersky & have it disinfect all that it finds. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\System32\msnscps.dll O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s O4 - HKLM\..\Run: [rscn] C:\WINDOWS\System32\bum587.exe ymmud O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following Files/Folders if they exist: C:\WINDOWS\System32\msnscps.dll c:\windows\eee2.exe C:\WINDOWS\sysldr32.exe C:\WINDOWS\sysvx_.exe C:\WINDOWS\inet20004 C:\WINDOWS\System\svwhost.exe C:\WINDOWS\System32\bum587.exe C:\WINDOWS\sachostx.exe C:\WINDOWS\System32\intell321.exe C:\Program Files\AlfaCleaner C:\WINDOWS\SYSTEM32\msupdate32.dll Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" Restart in normal mode if possible. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan IMPORTANT!: You will need to use the direct link to SP1 below. Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online. Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here. Note If you're having trouble locating the service pack SP1a here is a direct link to download it from.. http://download.microsoft.com/downlo...p1a_en_x86.exe Run a new scan with HJT, in normal mode if possible now, save the log and post it. Thank you for your cooperation. Return with logs from: Ewido smitfiles.txt Kaspersky online scan HJT __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-04-2006, 06:57 AM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	Good job! It appears from your log you now have normal mode access, correct? I see from your log you were able to download the Kaspersky online scanner ActiveX controls...were you able to run the scan, and were there any results? Please post them here if so. If you have not run the scan, please do so now and post the results. Also run this online scan, please. This system was very compromised, and each scanner may find what the other may not see..... Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan Post those results here as well. How is your system behaving now? __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-06-2006, 09:53 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	I'm not surprised this system is slow....you've been seriously infected, and it may just be too messed up to get back to what you may have been used to. We'll do our best. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. When files found by other scanners are in the Recovery directory inside the Spybot-S&D directory, it is only a backup. It is no longer of any harm there, as the file won't be loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge the files. ------------------------------------------------------------------ Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies ------------------------------------------------------------------ I know you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix. You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. --------------------------------------------------------------- Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. --------------------------------------------------------------- Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. --------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. --------------------------------------------------------------- Delete the following Files/Folders if they exist: C:\Documents and Settings\Andrew J Yu\Application Data\AlfaCleaner C:\WINDOWS\system32\kernels8.exe C:\WINDOWS\system32\sachostp.exe C:\WINDOWS\system32\vxgamet4.exe7680.exe C:\WINDOWS\system32\wininet.old C:\Windows\System32\mswinb32.exe C:\Windows\System32\mswinb32.dll C:\Windows\System32\mswinf32.exe C:\Windows\System32\mswinf32.dll C:\Windows\System32\page.htm C:\Windows\System32\oleext.dll ------------------------------------------------------------------ Run CleanUp once again, using the same settings as before. ------------------------------------------------------------------ Boot to normal mode now. --------------------------------------------------------------- Run a new HijackThis scan. Save the log file and post it here. --------------------------------------------------------------- Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately): alphacleaner AlphaCleaner Save the file/files and post the results in the forum. ------------------------------------------------------------------ That Kaspersky log looks like it's from the onboard AV program, not the online scanner.....is that the case? ------------------------------------------------------------------ Please return with logs from: Ewido HJT __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-02-2006, 07:01 PM	#3 (permalink)
DaTwinkie Registered User Join Date: Mar 2006 Posts: 15 OS: Win XP	Currently, I am on the infected computer using Safe Mode with Networking.

03-03-2006, 08:11 PM	#5 (permalink)
DaTwinkie Registered User Join Date: Mar 2006 Posts: 15 OS: Win XP	Hi, Here's the ewido report: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 12:54:19 AM, 3/3/2006 + Report-Checksum: E99156EE + Scan result: HKLM\SOFTWARE\Classes\AppID\{78364D99-A640-4ddf-B91A-67EFF8373045} -> Trojan.Brospy.c : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{78364D99-A640-4ddf-B91A-67EFF8373045} -> Trojan.Brospy.c : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78364D99-A640-4ddf-B91A-67EFF8373045} -> Trojan.Brospy.c : Cleaned with backup [632] C:\WINDOWS\system32\msupdate32.dll -> Downloader.Delf.aic : Cleaned with backup C:\Program Files\AIM\winnfvn32.dll -> Trojan.Small : Cleaned with backup C:\WINDOWS\eee2.exe -> Adware.MediaMotor : Cleaned with backup C:\WINDOWS\LastGood\webhdll.dll -> Adware.WebHancer : Cleaned with backup C:\WINDOWS\PMET.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup C:\WINDOWS\sachostx.exe -> Logger.Small.fe : Cleaned with backup C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup C:\WINDOWS\system\svchost.dll -> Backdoor.Agent.iw : Cleaned with backup C:\WINDOWS\system\svwhost.exe -> Backdoor.Agent.qr : Cleaned with backup C:\WINDOWS\system32\bum587.exe -> Downloader.Small.cjd : Cleaned with backup C:\WINDOWS\system32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup C:\WINDOWS\system32\msupdate32.dll -> Downloader.Delf.aic : Cleaned with backup C:\WINDOWS\system32\msvcrl.dll -> Logger.Small.fe : Cleaned with backup C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup C:\WINDOWS\system32\sysvx.exe -> Worm.Locksky.m : Cleaned with backup C:\WINDOWS\system32\tio252.dll -> Downloader.Small.cjc : Cleaned with backup C:\WINDOWS\system32\tio253.dll -> Downloader.Small.cjc : Cleaned with backup C:\WINDOWS\system32\tio314.dll -> Downloader.Small.cjc : Cleaned with backup C:\WINDOWS\system32\tio40.dll -> Downloader.Small.cjc : Cleaned with backup C:\WINDOWS\system32\tio601.dll -> Downloader.Small.cjc : Cleaned with backup C:\WINDOWS\system32\tio724.dll -> Downloader.Small.cjc : Cleaned with backup C:\WINDOWS\system32\tio744.dll -> Downloader.Small.cjc : Cleaned with backup C:\WINDOWS\system32\tio996.dll -> Downloader.Small.cjc : Cleaned with backup C:\WINDOWS\sysvx_.exe -> Worm.Locksky.aj : Cleaned with backup C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup D:\Program Files\GlobalSCAPE\CuteFTP\CTInstall.exe -> Adware.TimeSink : Cleaned with backup ::Report End Here's the smitfiles.txt: smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Fri 03/03/2006 The current time is: 0:15:38.81 Running from C:\Documents and Settings\Andrew J Yu\Desktop\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ oleext.dll ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 312 'explorer.exe' Killing PID 312 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ oleext.dll ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) Here's the HiJack This Log: Logfile of HijackThis v1.99.1 Scan saved at 8:10:44 PM, on 3/3/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141402189765 O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

03-07-2006, 08:37 PM	#9 (permalink)
DaTwinkie Registered User Join Date: Mar 2006 Posts: 15 OS: Win XP	Hi, It seems I didn't post the right Kaspersky log. I hope that this is the right one now... ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Tuesday, March 07, 2006 20:32:05 Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 8/03/2006 Kaspersky Anti-Virus database records: 180755 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 85348 Number of viruses found: 7 Number of infected objects: 22 Number of suspicious objects: 0 Duration of the scan process: 3970 sec Infected Object Name - Virus Name C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0043868.exe Infected: Trojan-Downloader.Win32.Tibs.cv C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0043922.old Infected: Virus.Win32.Nsag.b C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0049988.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0056160.exe Infected: Packed.Win32.Tibs C:\System Volume Information\_restore{E29FDA2F-0850-4250-AF58-199D44408501}\RP175\A0056534.exe Infected: Trojan-Proxy.Win32.Agent.eu D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN/CTInstall.exe Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN/SimpleRegistration.dll Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN/tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN/TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute4032.exe Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN/CTInstall.exe Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN/SimpleRegistration.dll Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN/tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN/TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip/cute4032.exe Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\download\cute_ftp_4_and_crack\cute_ftp_4_and_crack.zip Infected: not-a-virus:AdWare.Win32.TimeSink D:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 D:\Program Files\GlobalSCAPE\CuteFTP\TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink Scan process completed. Here is the ewido log: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 6:55:48 PM, 3/7/2006 + Report-Checksum: 44C2F1F5 + Scan result: No infected objects found. ::Report End Here's the HiJack This log: Logfile of HijackThis v1.99.1 Scan saved at 7:09:35 PM, on 3/7/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141402189765 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

03-07-2006, 08:55 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	Hi DaTwinkie - Before I offer the next step, please perform the requested regsearch from my previous post. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-09-2006, 07:43 PM	#11 (permalink)
DaTwinkie Registered User Join Date: Mar 2006 Posts: 15 OS: Win XP	Hi Tetonbob, I ran the regsearch and it said it could not find any files called AlphaCleaner. Is that what you wanted to know? -DaTwinkie

03-09-2006, 07:56 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	And you ran it with both spellings? Panda seems to think it's in your registry....if no finds, I'll have a fix for you soon. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-09-2006, 10:18 PM	#13 (permalink)
DaTwinkie Registered User Join Date: Mar 2006 Posts: 15 OS: Win XP	Yeah, I tried multiple spellings of the word and the program didn't find anything regarding AlphaCleaner.

03-09-2006, 10:27 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	Make sure you have the latest version of Spybot (1.4), update it's definitions, and run a scan in safe mode. Have it fix whatever it may find. While in safe mode...... Make sure hidden files are still visible. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following Files/Folders if they exist: D:\Program Files\mIRC\download\cute_ftp_4_and_crack D:\Program Files\GlobalSCAPE\CuteFTP\TSUninstaller.exe Reboot into normal mode. Run Panda Online scan once again.... Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan Post a new HJT log, along with the Panda scan. __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message. Last edited by tetonbob; 03-09-2006 at 10:28 PM.

03-10-2006, 11:58 PM	#15 (permalink)
DaTwinkie Registered User Join Date: Mar 2006 Posts: 15 OS: Win XP	Hi tetonbob, Here's a copy of the Panda activescan: Incident Status Location Potentially unwanted tool:application/alfacleaner Not disinfected C:\Documents and Settings\Andrew J Yu\Application Data\AlfaCleaner Adware:adware/alfacleaner Not disinfected Windows Registry Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@microsofteup.112.2o7[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@overture[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@questionmarket[1].txt Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@microsofteup.112.2o7[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@overture[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andrew J Yu\Cookies\andrew j yu@questionmarket[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew J Yu\Desktop\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew J Yu\Desktop\smitRem.exe[Process.exe] Here's a copy of the hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 11:53:44 PM, on 3/10/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141402189765 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Finally, I ran another search on the regsrch.vbs program and tried the word "Alfa" and this is what it came up with... REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "alfa" 3/10/2006 11:47:59 PM ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfa-search.com] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com\www] [HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfa-search.com] [HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com] [HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com\www] [HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfa-search.com] [HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com] [HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com\www] [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfa-search.com] [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com] [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\digitalfan.com\www] I hope this helps...

03-11-2006, 08:00 AM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	Create a uninstall list: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-11-2006, 12:01 PM	#17 (permalink)
DaTwinkie Registered User Join Date: Mar 2006 Posts: 15 OS: Win XP	Ad-Aware SE Personal Adobe Download Manager 2.0 (Remove Only) Adobe Reader 7.0.5 AOL Instant Messenger Borland C++Builder 4 Borland C++Builder 6 BroadJump Client Foundation CleanUp! Dell ResourceCD Easy CD Creator 5 Basic ewido anti-malware HijackThis 1.99.1 hp deskjet 5100 HP Memories Disc HP Photo and Imaging 2.0 - Deskjet Series hp print screen utility Intel(R) PRO Network Adapters and Drivers iRiver Manager iRiver Updater J2SE Runtime Environment 5.0 Update 4 Kaspersky Anti-Virus Personal Pro Kaspersky On-line Scanner LimeWire 4.9.33 Macromedia Dreamweaver 8 Macromedia Extension Manager Macromedia Shockwave Player Microsoft Office Professional Edition 2003 Microsoft XML Parser and SDK mIRC MPEG Joiner version 2.0 Nero 6 Ultra Edition NVIDIA Drivers Panda ActiveScan PowerDVD QuickTime RealPlayer Sound Blaster Live! Spybot - Search & Destroy 1.4 Windows Installer 3.0 (KB884016) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB823559 Windows XP Hotfix - KB828741 Windows XP Hotfix - KB833407 Windows XP Hotfix - KB835732 Windows XP Hotfix - KB842773 Windows XP Hotfix (SP2) [See Q329048 for more information] Windows XP Hotfix (SP2) [See Q329115 for more information] Windows XP Hotfix (SP2) [See Q329390 for more information] Windows XP Hotfix (SP2) [See Q329834 for more information] Windows XP Hotfix (SP2) Q329170 Windows XP Hotfix (SP2) Q329441 Windows XP Hotfix (SP2) Q810577 Windows XP Hotfix (SP2) Q810833 Windows XP Hotfix (SP2) Q817606 Windows XP Service Pack 1a Yahoo! Install Manager

03-11-2006, 03:16 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	OK, we're digging around for AlfaCleaner because it's so pernicious....it's not installed, but parts are being reported onboard still. Please do this: Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies. Search for this file: C:\Windows\uninstDsk.exe If it's present, go to safe mode, and double click on it. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Navigate to this folder, and delete it: C:\Documents and Settings\Andrew J Yu\Application Data\ AlfaCleaner Please tell me if you cannot find it, or if it resists deletion. Panda says it's present still, I've listed it once before for deletion. Run regsearch for the string: Desktop Uninstall Post the results of the regsearch, along with a new HJT log __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-12-2006, 01:06 PM	#19 (permalink)
DaTwinkie Registered User Join Date: Mar 2006 Posts: 15 OS: Win XP	I can't seem to find the uninstDsk.exe file. Also, I cannot find the AlfaCleaner under C:\Documents and Settings\Andrew J Yu\Application Data\AlfaCleaner I tried running the regsearch with Desktop Uninstall and it said it couldn't find it. Here's the hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 105 PM, on 3/12/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Documents and Settings\Andrew J Yu\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141402189765 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O21 - SSODL: AOL Instant Messenger - {86DB7CB7-F300-C3DF-3D1F-5E4F42586770} - c:\program files\aim\winnfvn32.dll (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

03-12-2006, 02:11 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	Ok, humor me...this little tool will be faster to tell if the folder is still there than another Panda scan is. It may be super hidden, which we can take care of with a batch file. Download fl.zip Extract the contents to a new folder on your Desktop. Within the folder, locate & double-click fl.bat. It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply Your logs are essentially clean, this is just tidying up. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.