Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

serious problem .... is it a virus ??? please help :)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

serious problem .... is it a virus ??? please help :)

Unread postby daveb123 » September 2nd, 2007, 8:39 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:24:24, on 03/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ygsondheks.info/c/2700/counter21.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ygsondheks.info/c/2700/counter21.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.ygsondheks.info/c/2700/counter21.php
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {EF3446E8-FC32-4E55-9C56-0B8DA015FC10} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE YHT PC Camera
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [awo4RUjpP] ltfshlex.exe
O4 - HKCU\..\Run: [Boots Insert Detect] C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Magnify] Magnify.exe (User 'Default user')
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... B_ZZzer000
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?56e97e05030448098d1600fa1223d1fd
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?56e97e05030448098d1600fa1223d1fd
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/resou ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5138625291
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A8080502-0C9E-44BD-AE83-D44698E43992} (DvssViewer Control) - http://80.192.176.121/dvssviewer.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://80.192.176.121:8080/plugin/h263ctrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BDEB5C35-9774-4235-94A5-7AAC547BB643} - http://dl.ask.co.uk/toolbars/ajtoolbar/ ... 2-inst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/fi ... tup162.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\user\LOCALS~1\Temp\~~install.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - http://freeteenstars.com/ContentImages/ ... pics03.jpg

--
End of file - 9783 bytes
daveb123
Active Member
 
Posts: 9
Joined: September 2nd, 2007, 8:32 pm
Location: northwest
Advertisement
Register to Remove

>> more info <<

Unread postby daveb123 » September 2nd, 2007, 8:48 pm

Hello can anyone please help me ????
I am running windows xp professional.

And have the following problems.
1. homepage changed / cannot reset original as it just alters it back to this non existant one.
2. desktop background changed / cannot reset original as it changes back to a blank one.
(dll file)
3. cannot use system restore
4. cannot use cnt/alt/del sequence
5. constant pop - ups claiming to be from WINDOWS XP SECURITY CENTRE ???
saying : install and run / drive cleaner tools /
winantivirus / spyware cleaner
pop - ups also say that my system is infected.
6. their are dll files all over my computer ie. temp internet files / desktop / even in recycle bin !! and they wont allow me to delete them.
++++++++++++++++++++++++++++++++

i have run :-
1. avg anti virus / finds nothing
2. adware / finds nothing
3. pc tools spyware doctor finds 33 items and deletes them however problems remain
4. rouge remover finds nothing

during the course of running all the above a pop up i think from xp says that their is an access violation to an address ???

then it contines scanning.

Can anybody help me please and tell me what to do step by step ... I am half decent with a pc but no expert.

Thanks in advance Dave :)
daveb123
Active Member
 
Posts: 9
Joined: September 2nd, 2007, 8:32 pm
Location: northwest

Unread postby Katana » September 6th, 2007, 3:45 pm

Hello Dave and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.


Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

A quick question, then we will get down to some investigation.
Is there a specific reason that you haven't updated your XP install ? Service pack 2 has been out for a long time now.
SmitFraud Look
Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Installed Programs
Please could you give me a list of the programs that are installed. This will help me create a fix for you.
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

TotalScan

Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • SmitFraud Log
  • Install List
  • TotalScan Log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby daveb123 » September 6th, 2007, 9:55 pm

SmitFraudFix v2.221

Scan done at 2:50:11.22, 07/09/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAMTAIE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"="Windows Installer Class"

[HKEY_CLASSES_ROOT\CLSID\{24E31EA9-FCE2-404F-BD80-20543565D946}\InProcServer32]
@="C:\DOCUME~1\user\LOCALS~1\Temp\~~install.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{24E31EA9-FCE2-404F-BD80-20543565D946}\InProcServer32]
@="C:\DOCUME~1\user\LOCALS~1\Temp\~~install.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel 8255x-based PCI Ethernet Adapter (10/100) - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{29827F70-5D29-43BE-A966-899637C2C654}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{29827F70-5D29-43BE-A966-899637C2C654}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{29827F70-5D29-43BE-A966-899637C2C654}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
daveb123
Active Member
 
Posts: 9
Joined: September 2nd, 2007, 8:32 pm
Location: northwest

Unread postby daveb123 » September 6th, 2007, 10:01 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:01:08, on 07/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAMTAIE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

O24 - Desktop Component 0: (no name) - http://freeteenstars.com/ContentImages/ ... pics03.jpg

--
End of file - 1558 bytes
daveb123
Active Member
 
Posts: 9
Joined: September 2nd, 2007, 8:32 pm
Location: northwest

Unread postby daveb123 » September 7th, 2007, 5:35 am

;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-09-07 10:23:14
PROTECTIONS: 0
MALWARE: 31
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00032731 application/mywebsearch HackTools No 0 Yes No hkey_classes_root\clsid\{147a976f-eee1-4377-8ea7-4716e4cdd239}
00032731 application/mywebsearch HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
00032731 application/mywebsearch HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239}
00032731 application/mywebsearch HackTools No 0 Yes No hkey_classes_root\clsid\{147a976e-eee1-4377-8ea7-4716e4cdd239}
00032731 application/mywebsearch HackTools No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\
00034463 adware/wupd Adware No 0 Yes No hkey_classes_root\install.install
00034463 adware/wupd Adware No 0 Yes No hkey_classes_root\install.install.1
00041278 bck/galapoper.a Virus/Trojan No 1 Yes No c:\windows\system32\winsub.xml
00041278 bck/galapoper.a Virus/Trojan No 1 Yes No c:\windows\system32\svcp.csv
00096053 application/funweb HackTools No 0 Yes No c:\windows\downloaded program files\f3initialsetup1.0.0.8.inf
00096053 application/funweb HackTools No 0 Yes No c:\windows\downloaded program files\f3initialsetup1.0.0.15-3.inf
00096053 application/funweb HackTools No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@atdmt[2].txt
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{4EE05E66-D5B7-4E53-8215-AA7F94168D44}\RP788\A0304152.exe
00144497 Cookie/Intelli-tracker TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@www.intelli-tracker[1].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@tradedoubler[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@247realmedia[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@ccbill[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@com[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@bs.serving-sys[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@adtech[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@server.iad.liveperson[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@adrevolver[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@statse.webtrendslive[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@questionmarket[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@bluestreak[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@adrevolver[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@ads.addynamix[2].txt
00517584 Application/SuperFast HackTools No 0 Yes No C:\System Volume Information\_restore{4EE05E66-D5B7-4E53-8215-AA7F94168D44}\RP788\A0304154.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
daveb123
Active Member
 
Posts: 9
Joined: September 2nd, 2007, 8:32 pm
Location: northwest

Unread postby daveb123 » September 7th, 2007, 5:37 am

HELLO KATANA
I HAVE DONE WHAT YOU ASKED.
AND I CANT UPDATE WINDOWS XP AS I HAVE LOST THE KEY CODE AND DIDNT REGISTER PROGRAMME :(
THANKS DAVE
daveb123
Active Member
 
Posts: 9
Joined: September 2nd, 2007, 8:32 pm
Location: northwest

Unread postby Katana » September 7th, 2007, 3:50 pm

Hi Dave,
AND I CANT UPDATE WINDOWS XP AS I HAVE LOST THE KEY CODE AND DIDNT REGISTER PROGRAMME

Your system already has SP1 installed, you should be able to update without needing a keycode.
Have you tried updating ? What error did you get if any ?

We will need to sort this, because you will be open to reinfection.

Please run the MGA Diagnostic Tool and post back the report it creates:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

SmitFraud Fix
Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Download and Run ComboFix
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • SmitFraud Log
  • ComboFix Log
  • MGA Diagnostic Report
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby daveb123 » September 8th, 2007, 1:04 am

Diagnostic Report (1.7.0039.0):
-----------------------------------------
WGA Data-->
Validation Status: Blocked VLK
Detailed Status: N/A
Cached / Grace status: N/A, N/A
Windows Product Key: *****-*****-QTGCY-8FFWV-94CYP
Windows Product Key Hash: pxa73KFNDNrI5SjRtiaQRb9EGAA=
Windows Product ID: 55274-647-8875885-23696
Windows Product ID Type: 1
CSVLK Server: N/A
CSVLK PID: N/A
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.1.0.pro
ID: {0BEBE222-EAC0-4586-B005-2D5BF4B82F5E}(1)
Is Admin: Yes
Commit / Reboot / BRT: N/A, N/A, N/A
WGA Version: Failed to retrieve file version. - 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
OGA Version: Failed to retrieve file version. - 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2993-80070002_025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\PROGRA~1\MOZILL~1\FIREFOX.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control:
Active scripting:
Script ActiveX controls marked as safe for scripting:

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{0BEBE222-EAC0-4586-B005-2D5BF4B82F5E}</UGUID><Version>1.7.0039.0</Version><OS>5.1.2600.2.00010100.1.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-94CYP</PKey><PID>55274-647-8875885-23696</PID><PIDType>1</PIDType><SID>S-1-5-21-789336058-1708537768-1060284298</SID><SYSTEM><Manufacturer>IBM</Manufacturer><Model>6893BG1</Model></SYSTEM><BIOS><Manufacturer>IBM</Manufacturer><Version>NVKT58AUS</Version><SMBIOSVersion major="2" minor="1"/><Date>20010719******.******+***</Date></BIOS><HWID>B95B3BC701840049</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/></MachineData> <Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57119</Pid><PidType>14</PidType></Product></Products></Office></Software></GenuineResults>
daveb123
Active Member
 
Posts: 9
Joined: September 2nd, 2007, 8:32 pm
Location: northwest

comboFix Log

Unread postby daveb123 » September 8th, 2007, 1:45 am

ComboFix 07-09-08.7 - "user" 2007-09-08 6:37:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.87 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Guest\Desktop\internet.lnk
C:\Program Files\Common Files\{20173~1
C:\Program Files\Common Files\{20173~1\directordll.lzma
C:\Program Files\Common Files\{20173~1\directorexe.lzma
C:\Program Files\Common Files\{30173~1
C:\Program Files\Common Files\{30173~1\toolbardll.lzma
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml


((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.

2007-09-08 06:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 06:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-09-07 03:04 <DIR> d-------- C:\Program Files\Panda Security
2007-09-07 02:50 2,544 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-07 02:49 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-07 02:49 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-07 02:49 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-07 02:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-03 02:54 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-09-02 21:45 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-08-29 22:33 <DIR> d-------- C:\WINDOWS\system32\config\SYSTEM~1\APPLIC~1\Real
2007-08-29 21:30 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-29 21:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-27 10:40 <DIR> d-------- C:\Program Files\SoftPortal
2007-08-27 10:30 378,596 --a------ C:\WINDOWS\system32\head.exe
2007-08-24 09:46 406,805 --a------ C:\WINDOWS\system32\rt25.exe
2007-08-08 16:30 19,456 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-07 16:18 --------- d-------- C:\Program Files\EPSON Print CD
2007-09-02 21:45 2015 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-08-30 02:34 --------- d-------- C:\Program Files\Google
2007-08-29 23:26 --------- d-------- C:\Program Files\Lavasoft
2007-08-29 23:26 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Lavasoft
2007-08-29 23:25 --------- d-------- C:\Program Files\DivX
2007-08-29 22:41 --------- d-------- C:\Program Files\Common Files\Real
2007-08-29 22:14 --------- d-------- C:\Program Files\Zango Messenger
2007-08-10 16:49 --------- d-------- C:\DOCUME~1\user\APPLIC~1\LimeWire
2007-08-02 18:11 241664 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-27 15:49 225355 --a------ C:\WINDOWS\system32\lnod32apiW.dll
2007-07-27 15:49 196683 --a------ C:\WINDOWS\system32\lnod32apiA.dll
2007-06-13 11:10 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2005-05-17 22:40 552096 --a------ C:\Program Files\GoogleToolbarInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C46 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-05 23:50]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2005-04-11 09:36]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" []
"EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2005-03-09 05:00]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-02-22 07:30]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-03 02:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:41]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"awo4RUjpP"="ltfshlex.exe" []
"Boots Insert Detect"="C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe" []
"EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2005-03-09 05:00]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-10-27 11:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Magnify"=Magnify.exe
"RunNarrator"=Narrator.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Ulead Photo Express Calendar Checker For My Custom Edition.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe [2005-04-27 15:57:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"= C:\DOCUME~1\user\LOCALS~1\Temp\~~install.dll [ ]

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\System32\drivers\cwbwdm.sys
S0 FPA_RTP;FPA_RTP;C:\WINDOWS\System32\Drivers\FSTOPW.SYS
S3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\System32\DRIVERS\V0260Vid.sys
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;C:\WINDOWS\System32\drivers\UsbMicfilt.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 05:00:00 C:\WINDOWS\Tasks\AFDAE04891A19184.job"
- c:\docume~1\user\applic~1\16blah~1\Test Intra Knob.exe
"2007-09-06 23:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 08:00:01 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 09:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-09-07 10:00:01 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 11:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 12:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 13:00:00 C:\WINDOWS\Tasks\At15.job"
"2007-09-07 14:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 15:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-06 16:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-06 17:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 00:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-06 18:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-06 19:00:00 C:\WINDOWS\Tasks\At21.job"
"2007-09-06 20:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-06 21:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-06 22:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 01:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 02:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-08 03:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-08 04:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-08 05:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-07 06:00:00 C:\WINDOWS\Tasks\At8.job"
"2007-09-07 07:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\Y8IGPPdu.exe
"2007-09-08 04:43:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 06:40:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [2872] 0x81785020


scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-08 6:41:52
C:\ComboFix-quarantined-files.txt ... 2007-09-08 06:41
.
--- E O F ---
daveb123
Active Member
 
Posts: 9
Joined: September 2nd, 2007, 8:32 pm
Location: northwest

PROBLEM WITH INSTRUCTIONS

Unread postby daveb123 » September 8th, 2007, 1:52 am

Hello Katana,

In answer to your question about updating xp.
I havent tried / dont know how to?
Pleasetell me what to do step by step.

------------------------------------------------------

I could not load SMITFRAUD FIX
after booting in safe mode.

1. the text once in safe mode on screen was really big.
2. i could not open the internet to find your instruction page
as the net wouldnt load.
3. you didnt put a link on for me to click, and i cant see the programme on my screen / pc?

-------------------------------------------------------

I have done the other 2 things that you asked and posted log files,
I dont know if this will effect your fixing programme as it was not done in order, as i couldnt do stage 2 the SmitFraud Fix thing.


Thankyou for your help....
what do I do now??

Dave x
daveb123
Active Member
 
Posts: 9
Joined: September 2nd, 2007, 8:32 pm
Location: northwest

Unread postby Katana » September 8th, 2007, 4:56 am

Hi daveb123,
It seems from your returned report that your copy of windows xp is not legitimate.
Validation Status: Blocked VLK
A "Blocked VLK" is a Volume License Key that is valid but was licensed solely to a corporation or larger enterprise/business.
Blocked VLKs are Product Keys that Microsoft has received consent from the original owner to block its usage.
A VL Product Key is non-transferrable to individuals.

Your Copy of Office also has a Blocked VLK

For that reason I'm not able at this point to assist you with the clean up of your computer.
I'm bound by forum policy on this matter. >>> SEE HERE
If you purchased this copy of XP from a reseller or retailer, you are a victim and should report this to Microsoft.

In order to resolve your non-genuine licensing issue, please visit:
http://www.microsoft.com/genuine and click on "Validate Windows".
When validation fails, you'll see a button to click on which will provide information on how to acquire a WGA Kit.
You could also ask for help at the Microsoft Genuine Advantage forums
http://forums.microsoft.com/genuine/def ... ?siteid=25

Many people have unlicensed copies of Windows and don't even realise it.
Unfortunately, unlicensed copies of Windows are unable to install the Critical Updates / Service Packs
which are vital for the safe and 'relatively' secure running of the Operating System.
Our Helpers would be wasting their time fixing an unpatched machine as reinfection is usually immediate.

Your options are:

1. Obtain and install a valid copy of Windows XP
2. Install a different OS, such as Linux
3. Do not connect this computer to the internet
4. Reformat and re-install each time your system becomes unusable due to malware infestations

Good luck
Please delete the following,
ComboFix.exe
SmitFraud Fix.exe

You can also delete any logs we have produced.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Elrond » September 10th, 2007, 7:28 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware