Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Av System Care popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Katana » August 26th, 2007, 2:30 pm

Hi Tom,
It looks like something is resisting the fix :(

Turn Off User Account Control
  1. Open Control Panel.
  2. Under User Account and Family settings click on the "Add or remove user account".
  3. Click on Your user account,
  4. Under the user account click on the "Go to the main User Account page" link.
  5. Under "Make changes to your user account" click on the "Change security settings" link.
  6. In the "Turn on User Account Control (UAC) to make your computer more secure" click to unselect the "Use User Account Control (UAC) to help protect your computer". Click on the Ok button.
  7. You will be prompted to reboot your computer. Do so when ready.

In order to re-enable UAC just select the above checkbox and reboot.

Backup the Registry

Please back up the registry with Erunt

Start >> All Programs >> Erunt >> Erunt
Follow the prompts to create a backup

Create A Registry File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it Regfix.reg Please save it on your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fcrnli"=-


Make sure there are NO lines before Windows Registry Editor Version 5.00 and ONE line at the end
Double click on Regfix.reg and click Yes at the prompt

TotalScan

Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.

Deckard's System Scanner
Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, a text file will open - main.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your reply

(NOTE: Only one file will be created this time)

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • TotalScan report
  • DSS Log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Unread postby TomD22 » August 27th, 2007, 10:35 am

Total Scan Log:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-08-27 14:02:16
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Enterprise 8.5.0.781 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.mediaplex.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.com.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@xiti[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.xiti.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.statcounter.com/]
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[counter.hitslink.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[statse.webtrendslive.com/]
01221464 Trj/Shark.F Virus/Trojan No 0 Yes No C:\Users\Tom\Downloads\[Megafileupload]adobe%20cs3.zip[adobe cs3/Adobe Photoshop CS3 Extended Keygen.exe]
01221464 Trj/Shark.F Virus/Trojan No 0 Yes No C:\Users\Tom\Desktop\Adobe CS3\Adobe Photoshop CS3 Extended.exe
01221465 Trj/Shark.F Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20070826143329\backup\Users\Tom\AppData\Local\Temp\5726624.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
C:\Users\Tom\AppData\Local\Microsoft\fcrnli.exe
;===================================================================================================================================================================================


Aha! Those two references to photoshop haven't shown up in the other scans before. I grabbed the free 30 day photoshop trial with bittorrent 'cos Adobe's servers seemed to be dead at the time (I was getting ~10kbps, would have taken days to dload). It turned out to have a link to a keygen bundled with it, which I just deleted - but I ran the photoshop install anyway.

With hindsight that seems like a slightly stupid thing to have done.....obviously anyone including a "keygen" (99% certain to be a trojan) is also gonna bundle something unpleasant into the photoshop file as well. Meh. Stupid. Anyway - have we found the source of the infection, do you think?


DSS Log:

Deckard's System Scanner v20070819.64
Run by Tom on 2007-08-27 15:18:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Tom.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:42, on 26/08/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tom\Desktop\dss.exe
C:\HJT\Tom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [fcrnli] c:\users\tom\appdata\local\microsoft\fcrnli.exe fcrnli
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7307 bytes

-- Files created between 2007-07-27 and 2007-08-27 -----------------------------

2007-08-27 14:30:11 0 d-------- C:\Program Files\Common Files\Steam
2007-08-27 13:03:41 0 d-------- C:\Windows\system32\Panda Software
2007-08-27 13:03:29 0 d-------- C:\Program Files\Panda Security
2007-08-26 13:25:35 0 d-------- C:\Users\All Users\Grisoft
2007-08-26 12:24:20 0 d-------- C:\VundoFix Backups
2007-08-24 12:41:13 0 d-------- C:\Users\All Users\Kaspersky Lab
2007-08-24 12:41:12 0 d-------- C:\Windows\system32\Kaspersky Lab
2007-08-21 22:45:40 0 d-------- C:\Kontiki
2007-08-21 22:44:36 41984 -----n--- C:\Windows\Ctregrun.exe <Not Verified; Creative Technology Ltd; Creative On-line Registration System>
2007-08-21 22:39:36 77824 -----n--- C:\Windows\system32\ctdvda32.dll <Not Verified; Creative Technology Ltd; Creative DVD-Audio Product>
2007-08-21 21:13:05 0 d-------- C:\Program Files\Creative
2007-08-21 21:12:48 0 d-------- C:\Windows\system32\Defaults
2007-08-21 21:09:56 0 d-------- C:\Program Files\OpenAL
2007-08-21 21:09:12 0 d-------- C:\Windows\system32\Data
2007-08-21 21:09:12 3072 --a------ C:\Windows\CTXFIRES.DLL <Not Verified; ; CTxfiRes Dynamic Link Library>
2007-08-21 21:09:12 10240 --a------ C:\Windows\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-08-21 21:09:10 66560 -----n--- C:\Windows\system32\CmdRtr.dll
2007-08-21 21:09:10 103936 -----n--- C:\Windows\system32\APOMngr.dll
2007-08-21 18:23:50 0 d-------- C:\HJT
2007-08-21 13:10:16 0 d-------- C:\Program Files\ATITool
2007-08-21 01:10:30 0 d-------- C:\Users\All Users\Media Center Programs
2007-08-21 01:06:16 0 d-------- C:\Program Files\2K Games
2007-08-20 17:09:57 0 d-------- C:\Windows\Sun
2007-08-20 16:34:20 0 d-------- C:\Program Files\Steam
2007-08-20 12:20:20 0 d-------- C:\Users\All Users\Lavasoft
2007-08-20 12:15:45 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-08-19 15:38:03 0 d-------- C:\Users\All Users\Kontiki
2007-08-19 15:38:03 0 d-------- C:\Program Files\Kontiki
2007-08-18 13:04:39 0 d-------- C:\Program Files\HD Tune
2007-08-18 00:01:13 0 d--hs---- C:\Windows\VG9t
2007-08-17 22:35:03 0 d-------- C:\Program Files\Bonjour
2007-08-17 22:23:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-17 20:19:51 0 d-------- C:\Users\All Users\FLEXnet
2007-08-17 15:46:42 0 d-------- C:\Users\Tom\{b359c3d6-fc87-40a9-bfc4-84dd70141a06}
2007-08-17 14:10:43 0 d-------- C:\Program Files\DivX
2007-08-17 14:10:07 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-08-17 14:09:37 765952 --a------ C:\Windows\system32\xvidcore.dll
2007-08-17 14:09:36 180224 --a------ C:\Windows\system32\xvidvfw.dll
2007-08-17 14:09:36 0 d-------- C:\Program Files\Xvid
2007-08-17 12:29:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-17 11:46:49 0 d-------- C:\Program Files\Ventrilo
2007-08-17 10:42:50 0 d-------- C:\QUARANTINE
2007-08-17 10:35:23 0 d-------- C:\Users\All Users\Adobe
2007-08-17 10:24:27 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-17 09:47:45 0 d-------- C:\Program Files\Guild Wars
2007-08-17 07:43:32 0 d-------- C:\Windows\Panther
2007-08-17 07:43:23 0 d--hs---- C:\Boot
2007-08-16 22:47:05 0 d-------- C:\Windows\SoftwareDistribution
2007-08-16 22:45:59 0 d-------- C:\Windows\Debug
2007-08-16 22:44:51 0 d-------- C:\Windows\Prefetch
2007-08-16 22:44:41 0 d--hs---- C:\System Volume Information
2007-08-16 21:17:47 0 d-------- C:\Program Files\THQ
2007-08-16 20:27:12 0 d-------- C:\Program Files\RivaTuner v2.02
2007-08-16 19:34:18 0 d-------- C:\Program Files\Yahoo!
2007-08-16 19:33:11 1495552 --a------ C:\Windows\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2007-08-16 19:33:10 0 d-------- C:\Program Files\Common Files\Cisco Systems
2007-08-16 19:33:08 0 d-------- C:\Users\All Users\McAfee
2007-08-16 19:32:38 0 d-------- C:\Program Files\McAfee
2007-08-16 19:32:38 0 d-------- C:\Program Files\Common Files\McAfee
2007-08-16 18:27:56 0 d-------- C:\Program Files\Stardock
2007-08-16 18:27:56 0 d-------- C:\Program Files\Common Files\Stardock
2007-08-16 18:27:37 409600 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-08-16 18:27:37 114688 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2007-08-16 18:25:46 0 d-------- C:\Windows\system32\Futuremark
2007-08-16 18:25:46 3972 --a------ C:\Windows\system32\drivers\PciBus.sys
2007-08-16 18:25:46 5632 --a------ C:\Windows\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>
2007-08-16 18:25:46 21664 --a------ C:\Windows\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2007-08-16 18:24:31 0 d-------- C:\Program Files\Futuremark
2007-08-16 18:12:58 0 d-------- C:\Program Files\Azureus
2007-08-16 18:06:40 0 d-------- C:\Windows\system32\Macromed
2007-08-16 18:06:07 0 d-------- C:\Users\All Users\NVIDIA
2007-08-16 17:52:15 0 d-------- C:\Program Files\VideoLAN
2007-08-16 17:51:35 0 d-------- C:\Program Files\iPod
2007-08-16 17:51:33 0 d-------- C:\Program Files\iTunes
2007-08-16 17:50:50 0 d-------- C:\Program Files\QuickTime
2007-08-16 17:50:49 0 d-------- C:\Users\All Users\Apple Computer
2007-08-16 17:50:31 0 d-------- C:\Program Files\Apple Software Update
2007-08-16 17:49:14 0 d-------- C:\Program Files\Common Files\Apple
2007-08-16 17:49:12 0 d-------- C:\Users\All Users\Apple
2007-08-16 17:47:49 0 d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-16 17:47:32 0 d-------- C:\Program Files\Java
2007-08-16 17:47:31 0 d-------- C:\Program Files\Common Files\Java
2007-08-16 17:42:42 0 d-------- C:\Program Files\Google
2007-08-16 17:39:48 0 d-------- C:\Program Files\Prime95
2007-08-16 17:30:56 0 d-------- C:\NVIDIA
2007-08-16 17:25:38 0 d-------- C:\Program Files\Wallpaper Changer
2007-08-16 17:04:23 0 --a------ C:\Windows\nsreg.dat
2007-08-16 16:39:06 0 d-------- C:\Program Files\D-Link
2007-08-16 16:18:12 0 d-------- C:\Program Files\U-ABIT
2007-08-16 16:17:41 0 d-------- C:\Program Files\Marvell
2007-08-16 16:17:23 0 d--hs---- C:\Windows\Installer
2007-08-16 16:16:58 0 d-------- C:\Windows\system32\RTCOM
2007-08-16 16:16:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-16 16:16:25 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-08-16 16:16:21 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-16 16:14:40 0 d-------- C:\Program Files\Intel
2007-08-16 16:14:31 0 d-------- C:\Intel
2007-08-16 15:53:29 0 dr------- C:\Users\Tom\Searches
2007-08-16 15:53:19 0 dr------- C:\Users\Tom\Contacts
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Videos
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Templates
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Start Menu
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\SendTo
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Saved Games
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Recent
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\PrintHood
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Pictures
2007-08-16 15:53:14 2883584 --ahs---- C:\Users\Tom\ntuser.dat
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\NetHood
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\My Documents
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Music
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Local Settings
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Links
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Favorites
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Downloads
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Documents
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Desktop
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Cookies
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Application Data
2007-08-16 15:53:14 0 d--h----- C:\Users\Tom\AppData


-- Find3M Report ---------------------------------------------------------------

2007-08-27 14:30:11 0 d-------- C:\Program Files\Common Files
2007-08-27 14:07:22 0 d-------- C:\Users\Tom\AppData\Roaming\Adobe
2007-08-24 15:05:52 0 d-------- C:\Users\Tom\AppData\Roaming\OpenOffice.org2
2007-08-23 19:44:59 0 d-------- C:\Users\Tom\AppData\Roaming\Ventrilo
2007-08-21 22:33:37 0 d-------- C:\Users\Tom\AppData\Roaming\Bioshock
2007-08-19 11:06:53 0 d-------- C:\Users\Tom\AppData\Roaming\Azureus
2007-08-17 15:02:14 0 d-------- C:\Users\Tom\AppData\Roaming\DivX
2007-08-17 14:11:24 0 d-------- C:\Users\Tom\AppData\Roaming\WinRAR
2007-08-17 14:03:57 0 d-------- C:\Users\Tom\AppData\Roaming\vlc
2007-08-16 18:20:51 0 d-------- C:\Users\Tom\AppData\Roaming\Apple Computer
2007-08-16 18:08:02 0 d-------- C:\Users\Tom\AppData\Roaming\Macromedia
2007-08-16 18:02:21 0 d-------- C:\Program Files\Windows Mail
2007-08-16 18:02:21 0 d-------- C:\Program Files\Windows Defender
2007-08-16 17:04:29 0 d-------- C:\Users\Tom\AppData\Roaming\Talkback
2007-08-16 17:04:21 0 d-------- C:\Users\Tom\AppData\Roaming\Mozilla
2007-08-16 16:18:01 0 d-------- C:\Users\Tom\AppData\Roaming\InstallShield
2007-08-16 15:53:21 0 d-------- C:\Users\Tom\AppData\Roaming\Identities
2007-07-26 03:53:34 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2007-07-26 03:50:34 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-26 03:50:34 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-26 03:50:22 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-26 03:50:22 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:50:22 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:50:22 740442 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:49:28 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="" []
"RtHDVCpl"="RtHDVCpl.exe" [09/08/2007 19:26 C:\Windows\RtHDVCpl.exe]
"Wallpaper"="" []
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15/07/2005 22:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31/07/2007 18:44]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [22/02/2007 20:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [19/12/2006 11:27]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [17/08/2007 16:23]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [17/08/2007 16:23]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [17/08/2007 16:23]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.02\RivaTuner.exe" [01/07/2007 20:20]
"CTHelper"="CTHELPER.EXE" [12/02/2007 19:47 C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [12/02/2007 19:47 C:\Windows\System32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [18/06/2003 01:00]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [15/02/2005 16:10]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [16/06/2005 18:25]
"UpdReg"="C:\Windows\UpdReg.EXE" [11/05/2000 01:00]
"fcrnli"="c:\users\tom\appdata\local\microsoft\fcrnli.exe" [18/08/2007 00:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [02/11/2006 13:35]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02/11/2006 13:35]

C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [16/08/2007 18:27:56]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [20/07/2007 18:57:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=0 (0x0)
"NoClose"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2007-08-27 15:19:12 ------------
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » August 27th, 2007, 3:19 pm

Hi Tom,
I hate to say it but, ----- "I Told You So"---- :lol:
Downloading things from P2P is Very risky. I would give Azureus the boot and uninstall it.
If Kontiki is not related to a legitimate service, I would also remove that.


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\Users\Tom\AppData\Local\Microsoft\fcrnli.exe
Click Submit/Send File
Please post back, to let me know the results.

If Jotti is too busy please try Virustotal
Also if the Jotti result is negative please do a Virus Total scan as well

Upload a File
Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\Users\Tom\AppData\Local\Microsoft\fcrnli.exe

Go to spykiller

Please start a new threadand give a the following information
  • Name:-- Your name
  • E-mail:-- Your E-mail (this is confidential and will not be displayed)
  • Subject:-- File for Katana at MRU
In the main text window please put the following link
http://www.malwareremoval.com/forum/viewtopic.php?t=22678
you may also add any comments you wish
then press attach and upload the zip/cab file that was created.

Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files


Delete Files and Folders
Find and delete the following Files and Folders if present
C:\Users\Tom\Downloads\[Megafileupload]adobe%20cs3.zip <<< This File
C:\Users\Tom\Desktop\Adobe CS3\Adobe Photoshop CS3 Extended.exe <<< This File




Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Jotti/Virus Total
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 27th, 2007, 7:09 pm

"I told you so" indeed :oops:

I've been using bittorrent for a couple of years without getting anything really nasty before....but considering the trouble this has caused I think I'll stick only to audio/video from now on. Stupid to run any .exe when I can't be 100% sure of it's trustworthiness, I really should have known.

-----------

fcrnli.exe is not in c:\users\appdata\local\microsoft

I've searched manually, and with the search feature in vista, and can't find it there or anywhere else. I still have hidden folders, files, and operating system files all set to visible.

I've also had the computer on for an hour or so without seeing any popup windows............

Will update tommorrow :)
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby TomD22 » August 27th, 2007, 7:41 pm

Update - just restarted computer, and getting popups again but I still can't find fcrnli.exe anywhere.
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » August 28th, 2007, 12:54 am

This file may be super hidden, so just copy/paste the file path into the window.
You may never find it by searching :)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 28th, 2007, 7:08 am

OK, gotcha.

Spykiller thread is here

Virus Total Log:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.28.2 2007.08.28 -
AntiVir 7.4.1.63 2007.08.28 -
Authentium 4.93.8 2007.08.28 -
Avast 4.7.1029.0 2007.08.27 -
AVG 7.5.0.484 2007.08.27 -
BitDefender 7.2 2007.08.28 -
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.28 -
DrWeb 4.33 2007.08.28 -
eSafe 7.0.15.0 2007.08.26 -
eTrust-Vet 31.1.5091 2007.08.28 -
Ewido 4.0 2007.08.27 -
FileAdvisor 1 2007.08.28 -
Fortinet 2.91.0.0 2007.08.28 -
F-Prot 4.3.2.48 2007.08.28 -
F-Secure 6.70.13030.0 2007.08.28 -
Ikarus T3.1.1.12 2007.08.28 -
Kaspersky 4.0.2.24 2007.08.28 -
McAfee 5106 2007.08.27 -
Microsoft 1.2803 2007.08.28 -
NOD32v2 2488 2007.08.28 -
Norman 5.80.02 2007.08.28 -
Panda 9.0.0.4 2007.08.28 -
Prevx1 V2 2007.08.28 -
Rising 19.38.12.00 2007.08.28 -
Sophos 4.21.0 2007.08.28 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.28 Trojan.Skintrim
TheHacker 6.1.9.174 2007.08.28 -
VBA32 3.12.2.3 2007.08.28 -
VirusBuster 4.3.26:9 2007.08.27 -
Webwasher-Gateway 6.0.1 2007.08.28 -
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » August 28th, 2007, 5:15 pm

Hi Tom,
Now we're getting there :D


OTMoveIt
  • Download OTMoveIt by OldTimer from here
  • Double click on OTMoveIt to start OTMoveIt
    Image
  • Untick the option to Unregister Dll's and Ocx's (1)
  • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard
    Code: Select all
    C:\Users\Tom\AppData\Local\Microsoft\fcrnli.exe
    
  • In OTMoveIt Right click on the box labelled Paste List of Files/Folders to be Moved
  • Click Paste (2)
  • Click MoveIt! (3)
  • Copy and paste the contents of the results box (4) as a reply to this topic

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O4 - HKLM\..\Run: [fcrnli] c:\users\tom\appdata\local\microsoft\fcrnli.exe fcrnli

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Deckard's System Scanner
Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, a text file will open - main.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your reply

(NOTE: Only one file will be created this time)
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • OTMoveIT results
  • DSS Log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 28th, 2007, 6:20 pm

Hey,

I got this error message with OT move it:

"Cannot create file C:\_OTMoveIt\MovedFiles\08282007_231406.log"

and the results window says:

"C:\Users\Tom\AppData\Local\Microsoft\fcrnli.exe not found"


I'm not sure if the OTMoveIT thing needs to be successful before following the rest of your instructions, so I'll wait for now.
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » August 29th, 2007, 4:52 pm

Hi Tom,
Saw you online there so I will give you an update :)

The rest of the fix will not work if the file is not removed.

Unfortunately most of the tools we use don't work on Vista yet,
so I am asking for some info from the Vista gurus :)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 29th, 2007, 5:54 pm

kk, thanks
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » August 31st, 2007, 12:26 pm

Hi Tom,
Sorry for the delay, we have been discussing how to attack this file :)
I have also been celebrating my promotion :D

Permissions

This tool will tell me what permissions are set
Please save this file to your desktop

LINK >>>Who Am I <<< LINK

Double click WhoAmI.exe

A text document will open please copy/paste the results in your reply

K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 31st, 2007, 2:33 pm

Congratulations on your graduation :D


WhoAmI by wng_z3r0
8/31/2007
7:31 PM
******************
Operating system:
Microsoft® Windows Vista™ Home Premium
Ram: 3070 mb

Accounts on this computer:
Administrator
Guest
Tom

Current User: Tom
User is an admin
UAC is not enabled
******************

System Privileges:

SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeIncreaseWorkingSetPrivilege
SeTimeZonePrivilege
SeCreateSymbolicLinkPrivilege


End of file
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » September 1st, 2007, 2:19 pm

Hi Tom,
Let's try an old fashioned way :lol:

Reboot in safe mode
You will now need to reboot in safe mode, you will not have internet access whilst you do the next part
Please copy/paste or print the following instructions.


To reboot in safe mode
You can boot in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears.
Use your up arrow key to highlight Safe Mode, then hit enter.


Delete a file
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Delete A File On Reboot button.
  • Copy/Paste
    • C:\Users\Tom\AppData\Local\Microsoft\fcrnli.exe
    into the File Name window.
  • Click Open
  • In the window that opens click Yes

Let your PC reboot into normal mode

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O4 - HKLM\..\Run: [fcrnli] c:\users\tom\appdata\local\microsoft\fcrnli.exe fcrnli

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


Lets see if the file is actually still there
TotalScan

Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.


Please post the Total scan report along with a fresh HJT log in your reply

K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » September 2nd, 2007, 2:34 pm

Hey,

TotalScan log:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-09-02 19:33:19
PROTECTIONS: 1
MALWARE: 13
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Enterprise 8.5.0.781 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@atdmt[2].txt
00145460 Cookie/2o7 TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@2o7[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.mediaplex.com/]
00145792 Cookie/SexList TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.sexlist.com/]
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[www.myaffiliateprogram.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@xiti[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.xiti.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@statcounter[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.statcounter.com/]
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[counter.hitslink.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[server.iad.liveperson.net/hc/34292599]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[server.iad.liveperson.net/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[statse.webtrendslive.com/]
01221465 Trj/Shark.F Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20070826143329\backup\Users\Tom\AppData\Local\Temp\5726624.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================



New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:37, on 02/09/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tom\Desktop\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 7545 bytes
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware