Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan and Nail Viruses (I think)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan and Nail Viruses (I think)

Unread postby Prebble » June 15th, 2005, 12:15 pm

Logfile of HijackThis v1.99.1
Scan saved at 12:00:54 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\VCOM\Fix-It\mxtask.exe
G:\WINDOWS\Explorer.exe
g:\windows\system32\rrxemc.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\system32\wintask.exe
G:\WINDOWS\system\oxdoedxi.exe
G:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dkkr.exe
G:\Program Files\VCOM\PowerDesk\PDExplo.exe
G:\DOCUME~1\PREBBL~1.PRE\LOCALS~1\Temp\~~PDTEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnbc.msn.com/
F2 - REG:system.ini: Shell=Explorer.exe G:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RCScheduleCheck] G:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] G:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [WinTask driver] G:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [zrhhqc] g:\windows\system32\rrxemc.exe r
O4 - HKLM\..\Run: [KavSvc] G:\WINDOWS\system32\rkkunz.exe reg_run
O4 - HKLM\..\Run: [G:\WINDOWS\VCMnet11.exe] G:\WINDOWS\VCMnet11.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: G:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Fix-It Task Manager - V Communications, Inc. - G:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - g:\windows\SvcProc.exe
Prebble
Active Member
 
Posts: 4
Joined: June 15th, 2005, 12:07 pm
Advertisement
Register to Remove

Unread postby askey127 » June 15th, 2005, 12:51 pm

Hi Prebble,

I'm checking your log. Be back shortly.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » June 15th, 2005, 2:16 pm

Hi Prebble,

You have a couple infections. Let's get the Nail infection first.

First, some housekeeping:
-----------------------------------------------------------
Move HijackThis into its own folder. It is now in a temporary folder whose contents may get deleted. This would destroy the backups made by HiJackThis.
To make a new permanent folder: Go to My Computer, doubleclick G:
- Click File, New, Folder
- type in HJT
You now have a new folder at G:\HJT\. Copy all the HijackThis files from your present location into the new folder.
-----------------------------------------------------------
General Startup Info
Please print out this page or copy it to a Notepad file. You may not be able to see it in Safe Mode. Make sure to work through the fixes in the order shown below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers, except during downloads, when following the procedures below.
-----------------------------------------------------------
Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

-----------------------------------------------------------
Please download Nailfix from here: http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.
-----------------------------------------------------------
Download and install CCleaner from here.
Run CCleaner. Choose the Windows tab. Check everything EXCEPT be sure the Advanced part of the menu is all Unchecked. Choose Analyze. Let the Analyze portion finish. In heavily junk-laden older machines it could take up to 15 minutes. Then choose Run Cleaner. When cleaning is finished, click Exit.
-----------------------------------------------------------
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml
You MUST manage to get into Safe Mode for the fix to work.
-----------------------------------------------------------
Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
-----------------------------------------------------------
Then please run Ewido Security Suite, and run a full scan. Save the logfile from the scan.
-----------------------------------------------------------
Next please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.
-----------------------------------------------------------
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
We will have a bit more work to do, but we need to see these results first.

askey
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

log from first part of cleaning

Unread postby Prebble » June 19th, 2005, 2:53 pm

First part if ewio log
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:36:44 AM, 6/19/2005
+ Report-Checksum: 65B76CFE

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 1002 min
+ Scanned Files: 164893
+ Speed: 2.74 Files/Second
+ Infected files: 63
+ Removed files: 62
+ Files put in quarantine: 62
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
G:\

+ Scan result:
C:\Program Files\Zyxg\Wxkfmpi.exe -> Trojan.Small.cy -> Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\Windows\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dkkr.exe -> TrojanDownloader.Qoologic.n -> Error during cleaning
G:\Documents and Settings\Owner\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\Prebble J\Cookies\prebble j@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\Prebble J\Cookies\prebble j@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\Prebble J\Cookies\prebble j@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\Prebble J\Cookies\prebble j@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Program Files\ddd.exe -> TrojanDropper.Agent.hh -> Cleaned with backup
G:\Program Files\FwBarTemp\searchbar.exe -> TrojanDownloader.VB.eu -> Cleaned with backup
G:\Program Files\Internet Explorer\svchost.exe -> TrojanSpy.Agent.dq -> Cleaned with backup
G:\Program Files\Internet Optimizer\actalert.exe -> TrojanDownloader.Dyfuca.dp -> Cleaned with backup
G:\Program Files\Internet Optimizer\update\actalert.exe -> TrojanDownloader.Dyfuca.dp -> Cleaned with backup
G:\Program Files\Internet Optimizer\update\optimize313.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
G:\Program Files\Internet Optimizer\update\rogue.exe -> Trojan.Small.cy -> Cleaned with backup
G:\Program Files\Media Access\MediaAccC.dll -> Spyware.WinAD.ag -> Cleaned with backup
G:\Program Files\Media Access\MediaAccess.exe -> Spyware.WinAD.am -> Cleaned with backup
G:\Program Files\Media Access\MediaAccK.exe -> Spyware.WinAD -> Cleaned with backup
G:\Program Files\sdf.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
G:\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
G:\WINDOWS\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
G:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
G:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
G:\WINDOWS\jstall.exe -> Trojan.Revop.b -> Cleaned with backup
G:\WINDOWS\nem220.dll -> TrojanDownloader.Dyfuca -> Cleaned with backup
G:\WINDOWS\optimize.exe -> TrojanDownloader.Dyfuca.dk -> Cleaned with backup
G:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
G:\WINDOWS\system\oxdoedxi.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
G:\WINDOWS\system32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
G:\WINDOWS\system32\ckkod.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
G:\WINDOWS\system32\cnndoam.exe -> TrojanDownloader.Qoologic.q -> Cleaned with backup
G:\WINDOWS\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
G:\WINDOWS\system32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
G:\WINDOWS\system32\dsldpa.exe -> Trojan.Revop.b -> Cleaned with backup
G:\WINDOWS\system32\exp.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
G:\WINDOWS\system32\fyzjxa.exe -> Spyware.BetterInternet -> Cleaned with backup
G:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
G:\WINDOWS\system32\installer_MARKETING30.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
G:\WINDOWS\system32\nsc3F.dll -> Spyware.HotBar -> Cleaned with backup
G:\WINDOWS\system32\piiogxr.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
G:\WINDOWS\system32\poker.exe -> TrojanDownloader.Agent.nj -> Cleaned with backup
G:\WINDOWS\system32\PopOops.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
G:\WINDOWS\system32\PopOops2.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
G:\WINDOWS\system32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup
G:\WINDOWS\system32\qaawv.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
G:\WINDOWS\system32\Qool.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
G:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
G:\WINDOWS\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
G:\WINDOWS\system32\rkkunz.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
G:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
G:\WINDOWS\system32\SWLAD1.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
G:\WINDOWS\system32\SWLAD2.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
G:\WINDOWS\system32\thin-138-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
G:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
G:\WINDOWS\system32\umdtcplc.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
G:\WINDOWS\system32\vgaeman.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
G:\WINDOWS\system32\wintask.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
G:\WINDOWS\system32\wrapperouter.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
G:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
G:\WINDOWS\wsem303.dll -> TrojanDownloader.Dyfuca.dt -> Cleaned with backup
G:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End

Second step of Ewio log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:30:41 PM, 6/19/2005
+ Report-Checksum: BF6D5A83

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 139 min
+ Scanned Files: 164899
+ Speed: 19.74 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
G:\

+ Scan result:
G:\WINDOWS\system32\zcatbwn.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End

hijack log
Logfile of HijackThis v1.99.1
Scan saved at 2:40:38 PM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.exe
G:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe G:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - G:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [RCScheduleCheck] G:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] G:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [G:\WINDOWS\VCMnet11.exe] G:\WINDOWS\VCMnet11.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: G:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - G:\PROGRA~1\VCOM\Fix-It\mxtask.exe

Thanks
Prebble
Active Member
 
Posts: 4
Joined: June 15th, 2005, 12:07 pm

Finished suggested steps. Here are the requested logs

Unread postby Prebble » June 20th, 2005, 4:35 pm

Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 2:40:38 PM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.exe
G:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe G:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - G:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [RCScheduleCheck] G:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] G:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [G:\WINDOWS\VCMnet11.exe] G:\WINDOWS\VCMnet11.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: G:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - G:\PROGRA~1\VCOM\Fix-It\mxtask.exe

First ewido scan report

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:36:44 AM, 6/19/2005
+ Report-Checksum: 65B76CFE

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 1002 min
+ Scanned Files: 164893
+ Speed: 2.74 Files/Second
+ Infected files: 63
+ Removed files: 62
+ Files put in quarantine: 62
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
G:\

+ Scan result:
C:\Program Files\Zyxg\Wxkfmpi.exe -> Trojan.Small.cy -> Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\Windows\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dkkr.exe -> TrojanDownloader.Qoologic.n -> Error during cleaning
G:\Documents and Settings\Owner\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\Prebble J\Cookies\prebble j@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\Prebble J\Cookies\prebble j@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\Prebble J\Cookies\prebble j@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Documents and Settings\Prebble J\Cookies\prebble j@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
G:\Program Files\ddd.exe -> TrojanDropper.Agent.hh -> Cleaned with backup
G:\Program Files\FwBarTemp\searchbar.exe -> TrojanDownloader.VB.eu -> Cleaned with backup
G:\Program Files\Internet Explorer\svchost.exe -> TrojanSpy.Agent.dq -> Cleaned with backup
G:\Program Files\Internet Optimizer\actalert.exe -> TrojanDownloader.Dyfuca.dp -> Cleaned with backup
G:\Program Files\Internet Optimizer\update\actalert.exe -> TrojanDownloader.Dyfuca.dp -> Cleaned with backup
G:\Program Files\Internet Optimizer\update\optimize313.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
G:\Program Files\Internet Optimizer\update\rogue.exe -> Trojan.Small.cy -> Cleaned with backup
G:\Program Files\Media Access\MediaAccC.dll -> Spyware.WinAD.ag -> Cleaned with backup
G:\Program Files\Media Access\MediaAccess.exe -> Spyware.WinAD.am -> Cleaned with backup
G:\Program Files\Media Access\MediaAccK.exe -> Spyware.WinAD -> Cleaned with backup
G:\Program Files\sdf.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
G:\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
G:\WINDOWS\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
G:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
G:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
G:\WINDOWS\jstall.exe -> Trojan.Revop.b -> Cleaned with backup
G:\WINDOWS\nem220.dll -> TrojanDownloader.Dyfuca -> Cleaned with backup
G:\WINDOWS\optimize.exe -> TrojanDownloader.Dyfuca.dk -> Cleaned with backup
G:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
G:\WINDOWS\system\oxdoedxi.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
G:\WINDOWS\system32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
G:\WINDOWS\system32\ckkod.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
G:\WINDOWS\system32\cnndoam.exe -> TrojanDownloader.Qoologic.q -> Cleaned with backup
G:\WINDOWS\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
G:\WINDOWS\system32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
G:\WINDOWS\system32\dsldpa.exe -> Trojan.Revop.b -> Cleaned with backup
G:\WINDOWS\system32\exp.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
G:\WINDOWS\system32\fyzjxa.exe -> Spyware.BetterInternet -> Cleaned with backup
G:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
G:\WINDOWS\system32\installer_MARKETING30.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
G:\WINDOWS\system32\nsc3F.dll -> Spyware.HotBar -> Cleaned with backup
G:\WINDOWS\system32\piiogxr.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
G:\WINDOWS\system32\poker.exe -> TrojanDownloader.Agent.nj -> Cleaned with backup
G:\WINDOWS\system32\PopOops.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
G:\WINDOWS\system32\PopOops2.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
G:\WINDOWS\system32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup
G:\WINDOWS\system32\qaawv.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
G:\WINDOWS\system32\Qool.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
G:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
G:\WINDOWS\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
G:\WINDOWS\system32\rkkunz.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
G:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
G:\WINDOWS\system32\SWLAD1.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
G:\WINDOWS\system32\SWLAD2.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
G:\WINDOWS\system32\thin-138-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
G:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
G:\WINDOWS\system32\umdtcplc.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
G:\WINDOWS\system32\vgaeman.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
G:\WINDOWS\system32\wintask.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
G:\WINDOWS\system32\wrapperouter.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
G:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
G:\WINDOWS\wsem303.dll -> TrojanDownloader.Dyfuca.dt -> Cleaned with backup
G:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End

Second Ewido scan report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:30:41 PM, 6/19/2005
+ Report-Checksum: BF6D5A83

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 139 min
+ Scanned Files: 164899
+ Speed: 19.74 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
G:\

+ Scan result:
G:\WINDOWS\system32\zcatbwn.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End
Prebble
Active Member
 
Posts: 4
Joined: June 15th, 2005, 12:07 pm

Unread postby askey127 » June 20th, 2005, 6:51 pm

Prebble,

NAIL didn't go, but the service supporting it did.
Let's remove some more, and see what we have.

-----------------------------------------------------------
Download the Pocket Killbox from http://forum.malwareremoval.com/viewtopic.php?t=1448
Unzip it; save it to your Desktop.
-----------------------------------------------------------
[*]Download and install CCleaner from here
Don't Run it Yet.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:
(Some of these lines/programs may have already been removed when you did the Add/Remove - do not be surprised if they are missing)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe G:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - G:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [G:\WINDOWS\VCMnet11.exe] G:\WINDOWS\VCMnet11.exe

Make sure all other windows except HJT are closed, and Click Fix Checked.
-----------------------------------------------------------
Unregister dll for removal.
Go to Start, Run OR Start, Programs, Accessories, Command Prompt. Enter each of the following, followed by <Enter> .

regsvr32 /u systb.dll

-----------------------------------------------------------
Stop Processes Prior to Deletion
Close ALL open windows. Use Ctrl-Alt-Delete together to bring up the task manager.
Under the processes tab, if it is visible, check the box 'Show processes from all users'.
One at a time, highlight each of these that are listed and "End Process":
nail.exe
VCMnet11.exe
dkkr.exe

-----------------------------------------------------------
File and Folder Deletion.
In Windows Explorer, navigate to these files, or use find (F3) if the folder is not shown; then delete the files if present:
G:\WINDOWS\Nail.exe
G:\WINDOWS\systb.dll
G:\WINDOWS\VCMnet11.exe
G:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dkkr.exe

If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Note the name and location of any file you cannot delete.

If there were any files you could not delete then please follow these additional instructions:
Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste the full path of each file to delete, one at a time, into the box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say "No" each time until the last one has been pasted in, whereupon you should answer "Yes".
Let the system reboot.
-----------------------------------------------------------
Run CCleaner. Choose the Windows tab. Check everything EXCEPT be sure the Advanced part of the menu is all Unchecked. Choose Analyze. Let the Analyze portion finish. In heavily junk-laden older machines it could take up to 15 minutes. Then choose Run Cleaner. When cleaning is finished, click Exit.
-----------------------------------------------------------
Download FindQoologic-Narrator. Extract(unzip) the files into their own folder. Browse to where you saved them. Double-click the Find-Qoologic2.bat file to run it. A text file will open. Copy and paste the contents of the file into your reply along with a new HijackThis log please.

Thanks
askey
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Results of Round 2

Unread postby Prebble » June 21st, 2005, 1:00 pm

Hihack Log

Logfile of HijackThis v1.99.1
Scan saved at 12:50:10 PM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ewido\security suite\ewidoctrl.exe
G:\PROGRA~1\VCOM\Fix-It\mxtask.exe
G:\PROGRA~1\VCOM\Fix-It\mxtask.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\wscntfy.exe
G:\Documents and Settings\Prebble.PREBBLE-COMPAQ\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RCScheduleCheck] G:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] G:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: G:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - G:\PROGRA~1\VCOM\Fix-It\mxtask.exe

Other Log

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
G:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
desktop.ini

User Startup:
G:\Documents and Settings\Prebble.PREBBLE-COMPAQ\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu
<NO NAME> REG_SZ {A50302A0-8E15-11d2-887B-006008C1C087}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gnnmqyxg
<NO NAME> REG_SZ {97f519be-49c6-4337-ad63-884e92ec8613}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerDesk Menu
<NO NAME> REG_SZ {26E7F081-EB97-11d3-9239-006008D2D00F}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

Thanks
Prebble
Active Member
 
Posts: 4
Joined: June 15th, 2005, 12:07 pm

Unread postby askey127 » June 21st, 2005, 8:28 pm

Prebble,
How is it running? Overall it looks pretty good. There is one context Menu item in the registry I would like to research, but NAIL is gone.. and the combination of Ewido and our work with HJT appear to have removed the Qoologic downloader.

I will be out of communication until Friday PM, but I'm not ignoring you.
If you don't have it already, you might want to take a look at IE-Spyad:

Install IE-SPYAD Find it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm
IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Once you merge this list of sites and domains into the Registry, the web sites for these companies will not be able to use cookies, ActiveX controls, Java applets, or scripting to compromise your privacy or your PC while you surf the Net. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on your PC.

Let me know how it goes.
askey
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Nellie2 » July 14th, 2005, 6:06 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

The help you receive here is free but you can help support this site from this link if you wish:
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware