Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Maleware removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Maleware removal

Unread postby blkpagoda » July 10th, 2008, 5:51 am

My computer suddenly started behaving erratically while I was on yahoo messenger.It gave a message to me "you cannot send more than 3 messeges.." at the same time the mouse right key got disabled and the windows went to shut off automatically.I used another profile to boot in and then cleared ie6 history and files.I have also ran hjt and I am attaching the log.Please help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:34 AM, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\runservice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\CAP4RSK.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd5.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINNT\system32\intell321.exe
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\Run: [6476cde3.exe] C:\WINNT\system32\6476cde3.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [6476cde3.exe] C:\Documents and Settings\SMOHAPATRA1\Local Settings\Application Data\6476cde3.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZS
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/i ... 81df7d3354
O17 - HKLM\System\CCS\Services\Tcpip\..\{769D874B-DF0D-4BCA-8356-85D0CBCB31BD}: NameServer = 218.248.255.162 218.248.255.139
O20 - Winlogon Notify: Explorer - C:\WINNT\system32\en0ul1d91.dll (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINNT\warnhp.html

--
End of file - 7195 bytes
blkpagoda
Active Member
 
Posts: 9
Joined: July 10th, 2008, 5:36 am
Advertisement
Register to Remove

Re: Maleware removal

Unread postby mjq424 » July 10th, 2008, 1:01 pm

Hello, and welcome to Malware Removal Forums.
My name is Matt and I will be assisting you with your malware issues.
Please be patient as I need some time to review your HijackThis log and I will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by a Teacher. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any questions or you're stuck in there please reply it to me. I will try my best to help you! Not having symptoms of malware doesn't mean that you are clean!
  • Please do not carry out tasks on your own before I reply as this will only complicate things and may mean that my instructions are useless or dangerous!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: Maleware removal

Unread postby mjq424 » July 13th, 2008, 7:17 am

Hi
You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert you if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic

2) avast! 4 Home Edition

3) AVG Anti-Virus Free Edition

You must be a home computer user using your PC for non-commercial purposes

Go to Start > Control Panel > Display (Display properties) > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there (except for "My current home page")

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
    ***IMPORTANT*** - If you cannot get into Safe Mode using this method, please STOP and tell me!
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

===============================
In your next reply can I please see the following:
  • Smitfraudfix
  • SDFix
  • a new HijackThis log
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: Maleware removal

Unread postby blkpagoda » July 13th, 2008, 2:02 pm

I had tally 7.2 which is a acconting package which had all my entries particula account name.I now find that the particular accont name has been corrupted and I am not able access my data.Could this have happened due to maleware.I want to inform that my pc was misbehaving when I booted up ie the screen kept changing and I was not able to use my right mouse key button.When I rebooted iafter pressing f8 I was informed by windows that I would be rebooting using a profile using the windows was able to boot perfectly the last time.I click enter.Could this choice for booting my computer have cause damage to my accounts package?Because after that the windows stopped misbehaving.
blkpagoda
Active Member
 
Posts: 9
Joined: July 10th, 2008, 5:36 am

Re: Maleware removal

Unread postby mjq424 » July 14th, 2008, 4:20 am

Hi
Many things can corrupt data, malware is one of them. Have you performed the scans I requested? If so, please copy and paste the logs into your next reply.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: Maleware removal

Unread postby mjq424 » July 17th, 2008, 2:25 am

Hi
Do you still need assistance?
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: Maleware removal

Unread postby blkpagoda » July 19th, 2008, 8:50 am

I have been a little busy with other matters.I have installed avira anti virus meanwhile.I still have problem accessing my Accounts data.I will get back to you after I take the steps asked of me.
blkpagoda
Active Member
 
Posts: 9
Joined: July 10th, 2008, 5:36 am

Re: Maleware removal

Unread postby mjq424 » July 19th, 2008, 9:29 am

OK. :thumbup: I'll be waiting
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: Maleware removal

Unread postby blkpagoda » July 22nd, 2008, 1:31 am

I am attaching the SDFix report after running the scan in safe mode.I would like to mention here that my computer has slowed down considerably after I installed Avira antivirus personal edition.My accounts data is still corrupt.
You do not have the required permissions to view the files attached to this post.
blkpagoda
Active Member
 
Posts: 9
Joined: July 10th, 2008, 5:36 am

Re: Maleware removal

Unread postby mjq424 » July 22nd, 2008, 3:19 am

Hi
Thanks for the SDFix report. Can you post the Smitfraudfix report and a new HijackThis log please? There is no need to attach the logs to the thread, they will fit in your posts. This makes it easier for me to review them.
Thanks
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: Maleware removal

Unread postby blkpagoda » July 22nd, 2008, 6:21 am

SDFix: Version 1.207
Run by SMOHAPATRA1 on Tue 07/22/2008 at 10:43 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\SMOHAP~1\Desktop\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\SMOHAPATRA1\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted
C:\DOCUME~1\SMOHAP~1\LOCALS~1\Temp\TMP3A.tmp - Deleted
C:\DOCUME~1\SMOHAP~1\LOCALS~1\Temp\tmp24.tmp - Deleted
C:\WINNT\system32\dlh9jkdq8.exe - Deleted
C:\WINNT\system32\vx.tll - Deleted



Folder C:\Documents and Settings\SMOHAPATRA1\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 10:49:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\DOCUME~1\SMOHAP~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Jan 2006 953 A.SH. --- "C:\WINNT\system32\mmf.sys"
Sat 26 Jan 2008 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sat 26 Jan 2008 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sat 26 Jan 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 Jan 2008 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Fri 24 Jan 2003 65,952 ..SHR --- "C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT84.tmp"
Wed 12 Dec 2007 6,934,488 A..H. --- "C:\WINNT\SoftwareDistribution\Download\b6b8211a5dc0636ae3d15bf626ce10d3\BIT34.tmp"
Sat 12 Jul 2008 1,131,560 A..H. --- "C:\WINNT\SoftwareDistribution\Download\94e2de28cb8ee27606822ca199876d4a\BIT2A.tmp"
Sun 20 Jul 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BITCF.tmp"
Wed 16 Jul 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\85d72ebd3332986fe72a8378dc1d1a21\BIT3.tmp"
Mon 21 Jul 2008 1,131,560 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d8d19e7b16e1dafba6906abfdd61b4f9\BITD8.tmp"
Thu 22 Nov 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT12.tmp"
Tue 27 Nov 2007 478,960 A..H. --- "C:\WINNT\SoftwareDistribution\Download\208c1a8c52f47d7b2df4baa21f58d3da\BIT7.tmp"
Tue 15 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 27 Jan 2008 20 A..H. --- "C:\Documents and Settings\SMOHAPATRA1\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 26 Jan 2008 4,348 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\My Documents\My Music\License Backup\drmv1key.bak"
Sun 27 Jan 2008 1,536 A..H. --- "C:\Documents and Settings\SMOHAPATRA1\My Documents\My Music\License Backup\drmv2lic.bak"
Sat 26 Jan 2008 488 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\My Documents\My Music\License Backup\drmv2key.bak"
Fri 18 Nov 2005 29,696 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Templates\~WRL0004.tmp"
Thu 27 Dec 2007 19,968 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL0004.tmp"
Mon 3 Mar 2008 19,456 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL0003.tmp"
Mon 3 Mar 2008 19,968 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL0005.tmp"
Sat 15 Mar 2008 30,720 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL0006.tmp"
Tue 6 May 2008 19,456 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL0007.tmp"
Wed 7 May 2008 25,088 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL2929.tmp"
Tue 20 May 2008 19,456 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL0008.tmp"
Tue 20 May 2008 19,456 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL2967.tmp"
Mon 9 Jun 2008 19,968 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL0009.tmp"
Sat 21 Jun 2008 20,992 ...H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Word\~WRL0010.tmp"
Mon 14 Jul 2008 8,246 A..H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Office\Shortcut Bar\Off4s.tmp"
Mon 14 Jul 2008 8,246 A..H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Office\Shortcut Bar\Off4h.tmp"
Mon 21 Jul 2008 7,318 A..H. --- "C:\Documents and Settings\SMOHAPATRA1\Application Data\Microsoft\Office\Shortcut Bar\Off4.tmp"

Finished!
blkpagoda
Active Member
 
Posts: 9
Joined: July 10th, 2008, 5:36 am

Re: Maleware removal

Unread postby mjq424 » July 22nd, 2008, 6:33 am

Hi
Sorry, that's still a SDFix report log. My previous instructions may not have been clear enough so I will repeat them:

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: Maleware removal

Unread postby blkpagoda » July 22nd, 2008, 7:14 am

here is smitfix rapport.
SmitFraudFix v2.331

Scan done at 16:27:51.50, Tue 07/22/2008
Run from C:\Documents and Settings\SMOHAPATRA1\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8223007F-F20B-45B2-9475-128537789417}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8223007F-F20B-45B2-9475-128537789417}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning not selected.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
blkpagoda
Active Member
 
Posts: 9
Joined: July 10th, 2008, 5:36 am

Re: Maleware removal

Unread postby mjq424 » July 23rd, 2008, 2:22 am

Hi
Please follow my instructions carefully. You have run the fix with Smitfraudfix which is dangerous if there are no infected files. If you carry out steps other than my instructions you may end up seriously damaging your system resulting in a reformat+reinstall of Windows.

Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents into your next reply.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: Maleware removal

Unread postby blkpagoda » July 23rd, 2008, 8:20 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:38:07, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\WINNT\system32\CAP4RSK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\runservice.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\WINNT\system32\wscntfy.exe
C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd5.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINNT\system32\intell321.exe
O4 - HKLM\..\Run: [6476cde3.exe] C:\WINNT\system32\6476cde3.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [6476cde3.exe] C:\Documents and Settings\SMOHAPATRA1\Local Settings\Application Data\6476cde3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZS
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{769D874B-DF0D-4BCA-8356-85D0CBCB31BD}: NameServer = 218.248.255.162 218.248.255.139
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINNT\warnhp.html

--
End of file - 9293 bytes
blkpagoda
Active Member
 
Posts: 9
Joined: July 10th, 2008, 5:36 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware