Free Malware Removal Forum

[opp884]

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:26:59 AM, 3/12/2006
+ Report-Checksum: BF161AC3

+ Scan result:

[512] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[536] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[648] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[660] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[828] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[908] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[944] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[992] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1040] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1296] VM_018E1000 -> Adware.NaviPromo : Error during cleaning
[1392] VM_00EB1000 -> Adware.NaviPromo : Error during cleaning
[1484] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1508] VM_00D71000 -> Adware.NaviPromo : Error during cleaning
[1616] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1644] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[128] VM_009B1000 -> Adware.NaviPromo : Error during cleaning
[172] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[216] VM_00A51000 -> Adware.NaviPromo : Error during cleaning
[1076] VM_00E11000 -> Adware.NaviPromo : Error during cleaning
[2012] VM_00801000 -> Adware.NaviPromo : Error during cleaning
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143662.exe -> Downloader.Small.so : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143663.reg -> Trojan.Delf.ha : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143664.exe -> Dropper.Krepper.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143665.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143666.exe -> Downloader.Apher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143667.exe -> Downloader.Delf.dd : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143668.exe -> Downloader.Delf.dd : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143669.exe -> Downloader.Delf.dd : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143670.exe -> Downloader.Delf.dd : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143671.exe -> Downloader.Delf.dd : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143672.dll -> Dialer.InstantAccess.e : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143673.exe -> Hijacker.Small.ab : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143674.exe -> Trojan.Delf.hf : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP189\A0143676.dll -> Adware.NaviPromo : Cleaned with backup
C:\WINDOWS\SYSTEM32\msplock32.dll -> Adware.NaviPromo : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__msclock32.dll -> Adware.NaviPromo : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 10:36:27 AM, on 3/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\fh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\windows\system32\lucsdw.exe
C:\program files\mailskinner\mailskinner.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Juno\bin\juno.exe
C:\Program Files\Juno\qsacc\x1exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Stephen Oppenheimer\Local Settings\Temporary Internet Files\Content.IE5\14FRGOZQ\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*photosite.com;*.dir.untd.com;<local>
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stephen Oppenheimer\Application Data\Mozilla\Profiles\default\g2sn8tat.slt\prefs.js)
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lucsdw] c:\windows\system32\lucsdw.exe lucsdw
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGACCESS4_1058.dll,InstantAccess
O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\Juno\qsacc\x1exec.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 64.127.104.144
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0106821187
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BDD734E-4046-453D-B965-7E51DA4B7D48}: NameServer = 64.136.28.120 64.136.20.120
O20 - Winlogon Notify: defrag - C:\WINDOWS\System32\dfrgai.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Performance Manager (svhost) - Unknown owner - c:\Program Files\Common Files\fh.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe (file missing)

[Susan528]

Please ignore this post since Elrond is responding to his/her latest post.