Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Worm?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Worm?

Unread postby random/random » November 25th, 2007, 1:35 pm

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    File::
    C:\WINDOWS\SYSTEM32\anteckkh.ini
    C:\WINDOWS\SYSTEM32\nettblch.exe
    C:\WINDOWS\SYSTEM32\odkqdlub.dll
    C:\WINDOWS\SYSTEM32\gjpuybvm.exe
    C:\WINDOWS\SYSTEM32\micdxmfg.dll
    C:\WINDOWS\SYSTEM32\ddcawtr.dll
    C:\WINDOWS\SYSTEM32\fccywtq.dll
    Folder::
    C:\VundoFix Backups
    C:\Program Files\Cool
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winkcj32]
    
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm
Advertisement
Register to Remove

Re: Worm?

Unread postby lysander » November 25th, 2007, 8:38 pm

ComboFix 07-11-19.3 - Massiel Gutierrez 2007-11-25 7:23:24.2 - NTFSx86
Running from: C:\Documents and Settings\Massiel Gutierrez\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Massiel Gutierrez\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\anteckkh.ini
C:\WINDOWS\SYSTEM32\ddcawtr.dll
C:\WINDOWS\SYSTEM32\fccywtq.dll
C:\WINDOWS\SYSTEM32\gjpuybvm.exe
C:\WINDOWS\SYSTEM32\micdxmfg.dll
C:\WINDOWS\SYSTEM32\nettblch.exe
C:\WINDOWS\SYSTEM32\odkqdlub.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Cool
C:\Program Files\Cool\Cool.dll.intermediate.manifest
C:\Program Files\Cool\cool.exe
C:\Program Files\Cool\cool.info
C:\Program Files\Cool\cool.original
C:\Program Files\Cool\info.dll
C:\Program Files\Cool\un_CoolSetup_15849.exe
C:\Program Files\Cool\un_CoolSetup_15849.txt
C:\Program Files\Cool\X_Cool.dll
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Cool\X_cool.log
C:\Program Files\folder.js\
C:\Program Files\ini.ini\
C:\VundoFix Backups
C:\VundoFix Backups\drvnevr.dll.bad
C:\VundoFix Backups\fccywtq.dll.bad
C:\VundoFix Backups\kjkmp.ini.bad
C:\VundoFix Backups\kjkmp.ini2.bad
C:\VundoFix Backups\neasqdej.dll.bad
C:\VundoFix Backups\pmkjk.dll.bad
C:\VundoFix Backups\tnvvolkn.dll.bad
C:\VundoFix Backups\tnvvolkn.dllbox.bad
C:\VundoFix Backups\vundofix.vtf.bad
C:\WINDOWS\SYSTEM32\anteckkh.ini
C:\WINDOWS\SYSTEM32\ddcawtr.dll
C:\WINDOWS\SYSTEM32\fccywtq.dll
C:\WINDOWS\SYSTEM32\gjpuybvm.exe
C:\WINDOWS\SYSTEM32\micdxmfg.dll
C:\WINDOWS\SYSTEM32\nettblch.exe
C:\WINDOWS\SYSTEM32\odkqdlub.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-20 17:11 <DIR> d-------- C:\Documents and Settings\Massiel Gutierrez\SmitfraudFix
2007-11-20 16:32 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-19 21:09 <DIR> d-------- C:\Deckard
2007-11-19 21:04 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-11-19 21:02 <DIR> d-------- C:\Documents and Settings\Massiel Gutierrez\.housecall6.6
2007-11-18 20:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-18 20:31 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-18 20:21 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-11-18 03:03 197 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2007-11-17 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-17 20:29 <DIR> d-------- C:\Program Files\SpyGuardPro
2007-11-17 20:29 <DIR> d-------- C:\Program Files\Common Files\SpyGuardPro
2007-11-17 20:29 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-11-17 20:26 <DIR> d-------- C:\Program Files\MalwareAlarm
2007-11-17 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-17 17:00 <DIR> d-------- C:\Program Files\AIM6
2007-11-14 23:36 <DIR> d-------- C:\Program Files\QuickTime
2007-11-13 19:20 <DIR> d-------- C:\New Folder
2007-11-12 12:20 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-18 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-18 01:34 72 ----a-w C:\Program Files\ini.ini
2007-11-17 22:09 --------- d-----w C:\Documents and Settings\Massiel Gutierrez\Application Data\Aim
2007-11-17 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-17 22:01 --------- d-----w C:\Program Files\Viewpoint
2007-11-17 22:00 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-15 04:41 --------- d-----w C:\Program Files\iTunes
2007-11-15 04:41 --------- d-----w C:\Program Files\iPod
2007-11-15 04:34 --------- d-----w C:\Program Files\Apple Software Update
2007-08-16 04:23 81,920 ----a-w C:\Documents and Settings\Massiel Gutierrez\Application Data\ezpinst.exe
2007-08-16 04:23 47,360 ----a-w C:\Documents and Settings\Massiel Gutierrez\Application Data\pcouffin.sys
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
2007-06-14 09:22 2,231 ----a-w C:\Program Files\folder.js
2005-07-24 01:51 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-03-10 04:17 912,912 ----a-w C:\Documents and Settings\Massiel Gutierrez\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_10.03.23.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-25\ERDNT.EXE
+ 2007-11-25 15:03:18 7,847,936 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-25\Users\00000001\NTUSER.DAT
+ 2007-11-25 15:03:19 36,864 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-25\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-04-12 15:49]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-23 12:58]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05]
"imjpmig"="C:\IME\IMJP\imjpmig.exe" [2001-02-20 11:54]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 16:21]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 20:37]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-04-12 15:49]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

C:\Documents and Settings\Massiel Gutierrez\Start Menu\Programs\Startup\
Cool - Auto Update.lnk - C:\qoobox\Quarantine\C\Program Files\Cool\cool.exe.vir [2007-11-17 20:25:10]
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

R0 Achernar;Achernar - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Achernar.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Aldebaran.sys
S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys
S3 ADPK;TRUST SPYC@M 300S;C:\WINDOWS\system32\Drivers\SQcaptur.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable;C:\WINDOWS\system32\Drivers\SilvrLnk.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 17:09:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-17 01:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D8VF7641-Massiel Gutierrez).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-11-25 21:10:13 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 19:32:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-25 19:36:35 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-25 10:05
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:20 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Cool - Auto Update.lnk = C:\qoobox\Quarantine\C\Program Files\Cool\cool.exe.vir
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Massiel Gutierrez\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/defaul ... online.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/defaul ... uncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugi ... .5.1.8.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi02.morganstanley.com/p ... vcsTCS.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10351 bytes
lysander
Active Member
 
Posts: 10
Joined: November 18th, 2007, 5:45 pm

Re: Worm?

Unread postby random/random » November 26th, 2007, 3:25 pm

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Worm?

Unread postby lysander » November 26th, 2007, 6:37 pm

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2686 (20071126)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=f3dd067c4eae1849a5d1de8bbc3c0df4
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-11-26 10:14:01
# local_time=2007-11-26 05:14:01 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=255780
# found=86
# scan_time=4428
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\dlwixoql.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\dswtmhmj.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\efcgxlvu.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\exjegpqb.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\gitobxmn.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\k11u78.exe a variant of Win32/TrojanDownloader.VB.AW trojan 9F35E128801C5D091BF87DC941B68890
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\k11u78.exe »NSIS »rMa02yy1099.exe a variant of Win32/TrojanDownloader.VB.AW trojan 00000000000000000000000000000000
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\lpllfrfy.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\mofugclq.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\mst429.tmp probably a variant of Win32/Agent.QT trojan AD9352D4FB9E047A8B4B1CF3A9CC13D5
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\ngproxvf.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\peuagbsx.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\qrjatydi.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\removalfile.bat Win32/Adware.Virtumonde application 9A7EF09167A6F4433681B94351509043
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\rhvqsuwb.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\sheqipoi.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\stany.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\urclqecd.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\vntmrykt.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\win437.tmp.exe Win32/Hoax.Renos.HX application 3831083C0905D13A61BAEC3955F36539
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\win43B.tmp.exe Win32/TrojanDownloader.PurityScan.EG trojan 76B2C3434DAFFACCBA94A41F250775C9
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\win43B.tmp.exe »NSIS »Yazzle1162OinAdmin.exe Win32/TrojanDownloader.PurityScan.EG trojan 00000000000000000000000000000000
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\xqedqkpr.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\YazzleBundle-1549.exe a variant of Win32/TrojanDownloader.PurityScan trojan DBFA9DA703D43DA9A6388D8E25A2F2E5
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\YazzleBundle-1549.exe »NSIS »Yazzle1549OinAdmin.exe a variant of Win32/TrojanDownloader.PurityScan trojan 00000000000000000000000000000000
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\ywuecxwm.exe Win32/Adware.AVSystemCare application 380EA292077F5B3C0430CC92F6EB259D
C:\Deckard\System Scanner\20071120225105\backup\DOCUME~1\MASSIE~1\LOCALS~1\Temp\NI.UGA6P_0001_N122M2210\setup.exe Win32/Adware.AVSystemCare application 97D2D7C47F5F4C495B850AF38CC55911
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071121-183747-242.dll Win32/BHO.G trojan 856587EB0B4B0E4BA1976ADE75DD0E83
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071121-183747-997.dll Win32/Adware.UltimateDefender application F45372D3B83CD7E9F8C153B335406724
C:\qoobox\Quarantine\C\VundoFix Backups\neasqdej.dll.bad.vir Win32/Adware.SecToolbar application B7D2917E6DDC75B90BF2C23183741EEA
C:\qoobox\Quarantine\C\VundoFix Backups\tnvvolkn.dll.bad.vir Win32/Adware.SecToolbar application 21216C541F906CCE7513901C30F95A5E
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjpuybvm.exe.vir Win32/Adware.Ezula application 729E98319CEF03443F7349AB3D49813C
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\nettblch.exe.vir Win32/Adware.Ezula application 729E98319CEF03443F7349AB3D49813C
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\odkqdlub.dll.vir Win32/BHO.G trojan 088BDF02A14F409324090A40DD3FAF43
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\fibagbia\fibagbia1.exe.vir Win32/Adware.UltimateFixer application E199BBF2C868BE7BC4246980BF49F345
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\fibagbia\fibagbia2.exe.vir Win32/Adware.UltimateDefender application 71ABE6DA1A0B05B62DCAFF8B7C23E003
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\fibagbia\fibagbia3.exe.vir Win32/Adware.UltimateCleaner application 4214F251993ABF583AB333FEAAA9379A
C:\SDFix\backups\backups.zip multiple infiltrations 3B975FAF9CDF54D84F9A0390AB910578
C:\SDFix\backups\backups.zip »ZIP »backups/avp.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/mgrs.exe probably a variant of Win32/TrojanClicker.Agent.NBS trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/mrofinu1000106.exe Win32/TrojanDownloader.Agent.BLS trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/Yazzle1162OinAdmin.exe Win32/TrojanDownloader.PurityScan.EG trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/Yazzle1549OinAdmin.exe a variant of Win32/TrojanDownloader.PurityScan trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1271\A0148606.EXE Win32/Adware.WBug.A application E0D92AC5FDD264E4ED40D45C75934F1B
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1271\A0148606.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1272\A0148668.exe Win32/Adware.SpySheriff application 1A8CA3774D402006F58BB5B768925748
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1272\A0148669.dll Win32/Adware.BraveSentry application AC153A4F1FF0C34D58A23555DBC66763
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1272\A0148670.dll Win32/Adware.BraveSentry application DAB8F8DDA92F5A59AAE3346EE28B5BA0
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1272\A0148671.dll Win32/Adware.BraveSentry application 6D09C05A4451FA73196E0999FC3117FE
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1273\A0148684.exe Win32/Hoax.Renos.HX application 3831083C0905D13A61BAEC3955F36539
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1273\A0148691.exe a variant of Win32/TrojanDownloader.VB.AW trojan 0C664AF7889413DEB843A8873C956C67
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1273\A0148693.exe probably a variant of Win32/TrojanDownloader.Agent trojan 1403B70E5AC4E797046A8CF04E2F8927
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1273\A0148695.exe Win32/Adware.ZQuest application 233D7CF279872D8BBAEB1D31C3D365B4
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1273\A0148696.exe Win32/TrojanClicker.Small.JF trojan E8AAA5989609201412A4D0DD77AEE932
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1273\A0148696.exe »NSIS »func.exe Win32/TrojanClicker.Small.JF trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1273\A0148697.exe Win32/Adware.UltimateDefender application 71ABE6DA1A0B05B62DCAFF8B7C23E003
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1274\A0148736.exe Win32/TrojanDownloader.Agent.BLS trojan 9C8F6C0A58E5E9647000F6CF3D14B1BE
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1274\A0148737.exe Win32/Adware.UltimateDefender application 71ABE6DA1A0B05B62DCAFF8B7C23E003
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1274\A0148738.dll Win32/Adware.Virtumonde application 0D37D9FC87FE62C6B671FAB66B16FAAD
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148801.exe Win32/TrojanDownloader.PurityScan.EG trojan DC8BE09866844D690996F3A0BD7D89C4
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148803.exe a variant of Win32/TrojanDownloader.PurityScan trojan 23477706E5941EDB998C3036F6A7EB51
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148806.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148807.exe probably a variant of Win32/TrojanClicker.Agent.NBS trojan 50C56154A18F5B742EB51745677812ED
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148808.exe Win32/TrojanDownloader.Agent.BLS trojan 9C8F6C0A58E5E9647000F6CF3D14B1BE
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148819.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148824.exe probably a variant of Win32/TrojanClicker.Agent.NBS trojan 50C56154A18F5B742EB51745677812ED
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148825.exe Win32/TrojanDownloader.Agent.BLS trojan 9C8F6C0A58E5E9647000F6CF3D14B1BE
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148830.exe Win32/TrojanDownloader.PurityScan.EG trojan DC8BE09866844D690996F3A0BD7D89C4
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148832.exe a variant of Win32/TrojanDownloader.PurityScan trojan 23477706E5941EDB998C3036F6A7EB51
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148885.dll Win32/Adware.SecToolbar application B7D2917E6DDC75B90BF2C23183741EEA
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1275\A0148887.dll Win32/Adware.SecToolbar application 21216C541F906CCE7513901C30F95A5E
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1276\A0148945.dll probably a variant of Win32/Agent.QT trojan AD9352D4FB9E047A8B4B1CF3A9CC13D5
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1276\A0148955.dll Win32/Adware.UltimateDefender application F45372D3B83CD7E9F8C153B335406724
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1276\A0148959.dll Win32/BHO.G trojan 856587EB0B4B0E4BA1976ADE75DD0E83
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1276\A0148968.exe Win32/Adware.Ezula application 729E98319CEF03443F7349AB3D49813C
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1276\A0148969.dll Win32/Adware.UltimateDefender application F45372D3B83CD7E9F8C153B335406724
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1276\A0148970.dll Win32/Adware.Virtumonde application 0D37D9FC87FE62C6B671FAB66B16FAAD
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1276\A0148971.dll Win32/Adware.UltimateDefender application 1B0DE76441A4D2BBE30A4363F6A4C4DA
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1276\A0148972.exe Win32/Adware.UltimateDefender application 35E6FAB3DAA314975B6A38243BB70F47
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1278\A0148998.exe Win32/Adware.UltimateFixer application E199BBF2C868BE7BC4246980BF49F345
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1278\A0148999.exe Win32/Adware.UltimateDefender application 71ABE6DA1A0B05B62DCAFF8B7C23E003
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1278\A0149000.exe Win32/Adware.UltimateCleaner application 4214F251993ABF583AB333FEAAA9379A
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1279\A0149070.exe Win32/Adware.Ezula application 729E98319CEF03443F7349AB3D49813C
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1279\A0149072.exe Win32/Adware.Ezula application 729E98319CEF03443F7349AB3D49813C
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1279\A0149073.dll Win32/BHO.G trojan 088BDF02A14F409324090A40DD3FAF43
C:\WINDOWS\SYSTEM32\xwdnnnxu.dll Win32/Adware.Virtumonde application 0D37D9FC87FE62C6B671FAB66B16FAAD


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:51 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Cool - Auto Update.lnk = C:\qoobox\Quarantine\C\Program Files\Cool\cool.exe.vir
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Massiel Gutierrez\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/defaul ... online.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/defaul ... uncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugi ... .5.1.8.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi02.morganstanley.com/p ... vcsTCS.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10446 bytes
lysander
Active Member
 
Posts: 10
Joined: November 18th, 2007, 5:45 pm

Re: Worm?

Unread postby random/random » November 27th, 2007, 3:36 pm

You can delete these files from your desktop:

dss.exe
sdfix.exe
smitfraudfix.exe
Vundofix.exe
vundofix.vft
fix.reg
cleanup.bat
combofix.exe

You can also delete these folders:

C:\Deckard\
C:\qoobox\
C:\sdfix\

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  1. Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  2. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  3. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  4. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  5. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  6. Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  7. Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  8. Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  9. Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Worm?

Unread postby askey127 » December 23rd, 2007, 7:42 am

Glad we could be of assistance. This topic is now closed. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
Please do not contact us to reopen this topic if you are not the topic starter.
A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

You can help support this site from this link : Donations For Malware Removal
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware