Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

antispynet owns me

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby whisperer » November 2nd, 2006, 4:34 pm

I guess that your smile is going to be a bit bigger than mine but not by much :D

Hopefully back to you again later this evening with a progress report

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall
Advertisement
Register to Remove

Unread postby whisperer » November 2nd, 2006, 6:01 pm

Back again,

I am still working on the earlier logs and have found nothing to concern me yet but I am pleased to say that the HijackThis log appears to be clean! You do have a few programs that are running unnecessarily thereby taking up resources and one that is rather restrictive in use. I have recommended that they be stopped from within HJT, this does not mean that they are deleted, just stopped.

The DirectCD writer is not recommended for use because CD’s created by it are normally only able to be read by a similar CDROM, not much use if you are backing up your data. I note that you have EasyCD available and Nero, both of these are very good as is the Windows own version.

The first two entries are a link from Microsoft advising you that your homepage has been hijacked, please, after clearing these entries then reset your homepage as required.

Start your HijackThis and click on Scan
  1. Click in the check-box to the left of each of the following entries, if found
    • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... ar=msnhome
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... r.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
      O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
      The next three are the resource hogs
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  2. With all windows closed except HijackThis, select Fix Checked

I am expecting Navigator back within the next couple of days so will leave him to carry on unless I find something urgent in the ComboFix logs.

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby hiofisr » November 3rd, 2006, 12:54 pm

I've noticed that my Windows firewall is disabled and cannot be started. Is this related?
hiofisr
Active Member
 
Posts: 14
Joined: October 24th, 2006, 2:54 pm

Unread postby whisperer » November 3rd, 2006, 1:39 pm

Related to attacks by Malware - Yes.

If that is the only Firewall that you have then, as a matter of urgency, obtain a better one as soon as practical. I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below. Computer Safety On line - Software Firewalls http://www.malwareremoval.com/forum/viewtopic.php?p=56#56 A tutorial on Understanding and Using Firewalls can be found http://www.bleepingcomputer.com/tutoria ... ial60.html
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Navigator » November 4th, 2006, 1:09 am

Hey hiofsr...I'm back.

Many thanks to Whisperer for lending a hand in my absence!

While I agree with Whisperer that the HJT looks much improved, I am a bit concerned about your ComboFix log that you ran earlier....

It is chock full of malware, and it seems that it all was loaded onto your machine beginning the 23rd of October (coincidentally when you appeared to load a bunch of anti-spyware/malware tools to try and correct the problem I would assume).

The malware indicated by the ComboFix log contains multiple trojan downloaders, an RBot (potentially a serious security risk) and even a commercial keylogger (from AceSpy) that if you did not install, would be a serious concern. I would be VERY wary of this computer's security if used for any purpose of a secure nature (financial, personal, business etc.), especially considering that your Windows Firewall was disabled also, possibly by the malware. Did you follow Whisperer's instructions to obtain a software firewall?

It would be most helpful to have an AVG/Ewido log to see what it found and cleaned to compare it to the ComboFix log. If you would, please try these instructions for AVG/Ewido again in addition to the other scans I would like to see:

1. Locate the AVG/Ewido icon on the desktop and double-click it to launch the program.
  • Run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG and reboot your system back into Normal Mode.

2. Re-run ComboFix as you did before using the prior instructions

3. Download and Save Blacklight to your desktop:

  • Doubleclick on blbeta.exe.
  • Click on Scan.
  • Once the Scan is Finished, click on Next.
  • Click on Exit.
  • A new document will be produced on the desktop (with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).
  • Open this document with Notepad.
  • Copy and Paste its contents in a reply.

Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

4. Post back with:
  • the AVG/Ewido report
  • the new ComboFix log
  • the Blacklight log
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby hiofisr » November 6th, 2006, 6:06 pm

Let me begin by thanking you both once again for your continued assistance. I appreciate your checking my previous logs for residual hadardous material. Wisperer, I completed your latest HijackThis recommendations and thanks for the extra knowledge regarding my local resource hogs. FYI, I use DirectCD only to read CDs created by other unsuspecting DirectCD users, not for my own CD creation.

As for the firewall bit, I've also done some research on problems related to a disabled Windows Firewall and found evidence of missing files, which I'll continue to troubleshoot via Microsoft Knowledge Base. I am open to acquiring another software firewall but I thought the following is first worth mentioning: I recently put into a commission a Netgear ProSafe VPN Firewall (FVS124G) which touts a robust firewall. With regard to this, should I still continue down the avenue of additional software firewall?

OK Navigator, now on with your latest prescription. I've completed your recommended tasks, including re-running combofix. The logs are below:

AVG report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:54:41 PM 11/6/2006

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antispyware Soldier_is1 -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00110011-4B0B-44D5-9718-90C88817369B} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{086AE192-23A6-48D6-96EC-715F53797E85} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11904CE8-632A-4856-A7CC-00B33FE71BD8} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{150FA160-130D-451F-B863-B655061432BA} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{17DA0C9E-4A27-4AC5-BB75-5D24B8CDB972} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1C4DA27D-4D52-4465-A089-98E01BB725CA} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{202A961F-23AE-42B1-9505-FFE3C818D717} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2D38A51A-23C9-48A1-A33C-48675AA2B494} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5753791B-F607-48CA-814E-91C14D081F9E} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7070A8F9-08A4-CA47-0AB0-1EB9E4EE1F3B} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{746455FE-D059-47E7-AF0E-140E03F5A447} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{860C2F6B-CA82-4282-9187-BECCBB66F0AF} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87185E78-A61B-4DB3-965A-3235BBD7A622} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DC8F96D-34F7-1501-A2A4-631341AA3AC1} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C5875B8-93F3-429D-FF34-660B206D897A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2595F37-48D0-46A1-9B51-478591A97764} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6F42CAD-2559-48DF-AF30-89E480AF5DFA} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CF021F40-3E14-23A5-CBA2-717765721306} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1AC752E-883F-4ED8-8828-B618C3A72152} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2B2B5A1-B48C-4886-A318-723916A01024} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2DDF680-9905-4DEE-8C64-0A5DE7FE133C} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E3EEBBE8-9CAB-4C76-B26A-747E25EBB4C6} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E6D5237D-A6C7-4C83-A67F-F9F15586FA62} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7AFFF2A-1B57-49C7-BF6B-E5123394C970} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD9BC004-8331-4457-B830-4759FF704C22} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE2D25C1-C1DB-4B5E-9390-AF1CB5302F32} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareSheriff_is1 -> Adware.SpywareSheriff : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A7E6D97-B492-4884-9ABB-C31281DCC4F2} -> Adware.VipSearcher : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} -> Downloader.Delf : Cleaned with backup (quarantined).
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15ACE85C-0BB1-42D1-9E32-07EB0506675A} -> Downloader.Small.nl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{10D46C47-9CC4-4020-9B0D-DBC231C1AA72}\RP1204\A0095547.exe -> Downloader.Tibs.ir : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{10D46C47-9CC4-4020-9B0D-DBC231C1AA72}\RP1201\A0093369.exe -> Downloader.VB.apa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{10D46C47-9CC4-4020-9B0D-DBC231C1AA72}\RP1204\A0095549.exe -> Downloader.VB.apa : Cleaned with backup (quarantined).
C:\Documents and Settings\Bob's Photo\Cookies\bob's photo@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Bob's Photo\Cookies\bob's photo@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Bob's Photo\Cookies\bob's photo@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Bob's Photo\Cookies\bob's photo@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.15:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.16:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.17:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.18:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.11:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.12:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.13:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.14:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.19:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.25:C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
HKU\S-1-5-21-1294642078-3233042676-1574323382-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B212D577-05B7-4963-911E-4A8588160DFA} -> Trojan.Delf.nj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msmapi32.exe -> Trojan.VB.atw : Cleaned with backup (quarantined).


::Report end

_____________________________________________________

combofix log:
Bob's Photo - 06-11-06 15:01:37.56 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Bob's Photo\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\vxgamet1.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-06 to 2006-11-06 ))))))))))))))))))))))))))))))))))


2006-11-01 16:04 30,976 --a------ C:\WINDOWS\system32\ace16win.dll
2006-11-01 15:20 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-25 12:21 29,440 --a------ C:\WINDOWS\system32\VXH8JKDQ6.EXE
2006-10-25 12:21 25,344 --a------ C:\WINDOWS\system32\winmuse.exe
2006-10-25 12:21 25,088 --a------ C:\WINDOWS\system32\VXH8JKDQ2.EXE
2006-10-25 12:21 14,848 --a------ C:\WINDOWS\system32\kernels64.exe
2006-10-25 12:20 8,960 --a------ C:\WINDOWS\mtwirl32.dll
2006-10-25 12:20 17,408 --a------ C:\WINDOWS\avpcc.dll
2006-10-24 09:58 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-23 17:38 31,744 --a------ C:\WINDOWS\system32\perfont.exe
2006-10-23 17:37 28,160 --a------ C:\WINDOWS\wininet32.exe
2006-10-23 17:37 17,408 --a------ C:\WINDOWS\waol.exe
2006-10-23 11:40 8,448 --a------ C:\WINDOWS\system32\win32hp.dll
2006-10-23 11:40 29,952 --a------ C:\WINDOWS\systemcritical.exe
2006-10-23 11:40 29,952 --a------ C:\WINDOWS\cpan.dll
2006-10-23 11:40 28,672 --a------ C:\WINDOWS\winmgnt.exe
2006-10-23 11:40 27,648 --a------ C:\WINDOWS\x.exe
2006-10-23 11:40 26,880 --a------ C:\WINDOWS\win64.exe
2006-10-23 11:40 26,112 --a------ C:\WINDOWS\winajbm.dll
2006-10-23 11:40 26,112 --a------ C:\WINDOWS\inetdctr.dll
2006-10-23 11:40 22,016 --a------ C:\WINDOWS\win32e.exe
2006-10-23 11:40 20,736 --a------ C:\WINDOWS\system32\iewd.exe
2006-10-23 11:40 20,480 --a------ C:\WINDOWS\accesss.exe
2006-10-23 11:40 19,968 --a------ C:\WINDOWS\system32\proqlaim.exe
2006-10-23 11:40 19,456 --a------ C:\WINDOWS\dialup.exe
2006-10-23 11:40 18,176 --a------ C:\WINDOWS\system32\msmsn.exe
2006-10-23 11:40 18,176 --a------ C:\WINDOWS\spp3.dll
2006-10-23 11:40 17,664 --a------ C:\WINDOWS\window.exe
2006-10-23 11:40 16,640 --a------ C:\WINDOWS\time.exe
2006-10-23 11:40 16,384 --a------ C:\WINDOWS\systeem.exe
2006-10-23 11:40 16,384 --a------ C:\WINDOWS\clrssn.exe
2006-10-23 11:40 16,128 --a------ C:\WINDOWS\users32.exe
2006-10-23 11:40 14,336 --a------ C:\WINDOWS\y.exe
2006-10-23 11:40 13,056 --a------ C:\WINDOWS\system32\performent202.dll
2006-10-23 11:40 12,800 --a------ C:\WINDOWS\xplugin.dll
2006-10-23 11:39 13,824 --a------ C:\WINDOWS\system32\intr32.dll
2006-10-10 22:37 479,232 --a------ C:\WINDOWS\system32\PICSDK.dll
2006-10-10 22:37 45,056 --a------ C:\WINDOWS\system32\EpPicPrt.dll
2006-10-10 22:37 45,056 --a------ C:\WINDOWS\system32\EpPicMgr.dll
2006-10-10 22:34 82,944 --a------ C:\WINDOWS\system32\EAL.EXE
2006-10-10 22:34 80,219 --a------ C:\WINDOWS\system32\E_FLM9SA.DLL
2006-10-10 22:34 64,000 --a------ C:\WINDOWS\system32\E_FBCB9SA.DLL
2006-10-10 22:34 34,304 --a------ C:\WINDOWS\system32\E_FBCH9SA.DLL
2006-10-10 22:34 309,760 --a------ C:\WINDOWS\system32\EAL32.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-06 11:43 -------- d-------- C:\Program Files\HJT
2006-11-01 15:20 -------- d-------- C:\Program Files\Internet Explorer
2006-10-31 14:25 -------- d-------- C:\Documents and Settings\Bob's Photo\Application Data\U3
2006-10-25 11:07 -------- d-------- C:\Program Files\Google
2006-10-24 09:58 -------- d-------- C:\Program Files\Grisoft
2006-10-24 09:37 -------- d-------- C:\Program Files\NoAdware4
2006-10-23 21:38 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-23 18:33 -------- d-------- C:\Program Files\Windows Defender
2006-10-23 13:17 -------- d-------- C:\Documents and Settings\Bob's Photo\Application Data\Lavasoft
2006-10-23 13:16 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-23 13:15 -------- d-------- C:\Documents and Settings\Bob's Photo\Application Data\Google
2006-10-23 13:13 -------- d-------- C:\Program Files\Lavasoft
2006-10-06 17:23 -------- d-------- C:\Documents and Settings\Bob's Photo\Application Data\Leadertech
2006-10-06 17:22 -------- d-------- C:\Program Files\EPSON
2006-10-05 11:23 6276 --a------ C:\WINDOWS\system32\ertfsogd.exe
2006-09-19 13:04 5332 --a------ C:\WINDOWS\system32\qiiksriy.exe
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 12:37 5332 --a------ C:\WINDOWS\system32\snsvidjf.exe
2006-08-26 08:14 7476 --a------ C:\WINDOWS\system32\ijqoceyf.exe
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-17 18:13 0 --a------ C:\WINDOWS\system32\cmmgr32.exe
2006-08-17 18:13 0 --a------ C:\WINDOWS\ORUN32.EXE
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Iomega Active Disk"="C:\\Program Files\\Iomega\\AutoDisk\\AD2KClient.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"MCAgentExe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"
"MCUpdateExe"="C:\\Program Files\\McAfee.com\\Agent\\mcupdate.exe /embedding"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"EPSON Stylus Photo R2400"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9SA.EXE /P24 \"EPSON Stylus Photo R2400\" /O6 \"USB002\" /M \"Stylus Photo R2400\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000000
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-06 15:02:27.64
C:\ComboFix.txt ... 06-11-06 15:02
C:\ComboFix2.txt ... 06-11-01 18:22
____________________________________________________________

blacklight log:

11/06/06 15:20:16 [Info]: BlackLight Engine 1.0.47 initialized
11/06/06 15:20:16 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/06/06 15:20:16 [Note]: 7019 4
11/06/06 15:20:16 [Note]: 7005 0
11/06/06 15:20:18 [Note]: 7006 0
11/06/06 15:20:18 [Note]: 7011 308
11/06/06 15:20:18 [Note]: 7026 0
11/06/06 15:20:19 [Note]: 7026 0
11/06/06 15:20:27 [Note]: FSRAW library version 1.7.1020
11/06/06 15:26:44 [Note]: 2000 1012
11/06/06 15:26:44 [Note]: 2000 1012
11/06/06 15:26:44 [Note]: 2000 1012
11/06/06 15:26:44 [Note]: 2000 1012
11/06/06 15:26:44 [Note]: 2000 1012
11/06/06 15:26:44 [Note]: 2000 1012
11/06/06 15:26:44 [Note]: 2000 1012
11/06/06 16:00:16 [Note]: 7007 0
___________________________________________________________

Hope this is useful. Forgive me if I'm delayed in checking future posts. It looks like the e-mail notifications don't send once the string continues to a second page. I'll check back intermittently.
hiofisr
Active Member
 
Posts: 14
Joined: October 24th, 2006, 2:54 pm

Unread postby Navigator » November 6th, 2006, 9:22 pm

Good job....the blacklight log doesn't show any rootkit activity which is great.

A lot of those 'bad' files indicated in the ComboFix log are associated with Smitfraud. Now, I know we ran SmitfraudFix earlier (v 2.113), but there was a BIG update to the SmitfraudFix tool on October 29 and my perusal of the added file list leads me to believe that we need to re-download the most current version and run it again.

I would like to use the automated tool, and then we'll remove the files not removed by smitfraudfix and AVG manually.

1. Delete/remove the current smitfraudfix on your computer, then follow these directions again:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby hiofisr » November 7th, 2006, 8:48 pm

Your link to smitfraudfix via geekstogo didn't get me anywhere, maybe becuase you're registered there and I'm not, but I was able to find it after navigating the site. I'm not scolding, just letting you know so you can better help the next guy. It worked out nicely for me; I perused the blog/forums while there and picked up some useful info!

Here's the recent rapport.txt log:
SmitFraudFix v2.119

Scan done at 18:42:48.07, Tue 11/07/2006
Run from C:\Documents and Settings\Bob's Photo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\accesss.exe FOUND !
C:\WINDOWS\astctl32.ocx FOUND !
C:\WINDOWS\avpcc.dll FOUND !
C:\WINDOWS\clrssn.exe FOUND !
C:\WINDOWS\cpan.dll FOUND !
C:\WINDOWS\dialup.exe FOUND !
C:\WINDOWS\inetdctr.dll FOUND !
C:\WINDOWS\mtwirl32.dll FOUND !
C:\WINDOWS\spp3.dll FOUND !
C:\WINDOWS\systeem.exe FOUND !
C:\WINDOWS\systemcritical.exe FOUND !
C:\WINDOWS\time.exe FOUND !
C:\WINDOWS\users32.exe FOUND !
C:\WINDOWS\waol.exe FOUND !
C:\WINDOWS\win32e.exe FOUND !
C:\WINDOWS\win64.exe FOUND !
C:\WINDOWS\winajbm.dll FOUND !
C:\WINDOWS\window.exe FOUND !
C:\WINDOWS\wininet32.exe FOUND !
C:\WINDOWS\winmgnt.exe FOUND !
C:\WINDOWS\x.exe FOUND !
C:\WINDOWS\xplugin.dll FOUND !
C:\WINDOWS\xxxvideo.hta FOUND !
C:\WINDOWS\y.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ace16win.dll FOUND !
C:\WINDOWS\system32\iewd.exe FOUND !
C:\WINDOWS\system32\kernels64.exe FOUND !
C:\WINDOWS\system32\lfd.dat FOUND !
C:\WINDOWS\system32\msmsn.exe FOUND !
C:\WINDOWS\system32\msvol.tlb FOUND !
C:\WINDOWS\system32\ncompat.tlb FOUND !
C:\WINDOWS\system32\oiso.bin FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\pcf.pdf FOUND !
C:\WINDOWS\system32\perfont.exe FOUND !
C:\WINDOWS\system32\performent202.dll FOUND !
C:\WINDOWS\system32\proqlaim.exe FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\vxh8jkdq?.exe FOUND !
C:\WINDOWS\system32\win32hp.dll FOUND !
C:\WINDOWS\system32\winmuse.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bob's Photo


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bob's Photo\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BOB'SP~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
hiofisr
Active Member
 
Posts: 14
Joined: October 24th, 2006, 2:54 pm

Unread postby Navigator » November 7th, 2006, 8:56 pm

Hey hiofsr....

While I'm registered there at G2G (I trained there also...it's a great site too), the link I provided does not require registration to access; not sure why you couldn't download it from there. I've used the same 'canned speech' helping hundreds with that link...but nevermind, I'm glad you got it to work!

1 You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

2. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


3. Post back with the C:\rapport.txt results and the Panda Scan results....we may have some more file deletions to do after I compare the C:\rapport.txt results to the latest ComboFix log
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby hiofisr » November 21st, 2006, 10:01 pm

I'm still here, sorry for the delayed response. Thanks for bearing with me! Smit and activescan logs below.


SmitFraudFix v2.119

Scan done at 18:42:48.07, Tue 11/07/2006
Run from C:\Documents and Settings\Bob's Photo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\accesss.exe FOUND !
C:\WINDOWS\astctl32.ocx FOUND !
C:\WINDOWS\avpcc.dll FOUND !
C:\WINDOWS\clrssn.exe FOUND !
C:\WINDOWS\cpan.dll FOUND !
C:\WINDOWS\dialup.exe FOUND !
C:\WINDOWS\inetdctr.dll FOUND !
C:\WINDOWS\mtwirl32.dll FOUND !
C:\WINDOWS\spp3.dll FOUND !
C:\WINDOWS\systeem.exe FOUND !
C:\WINDOWS\systemcritical.exe FOUND !
C:\WINDOWS\time.exe FOUND !
C:\WINDOWS\users32.exe FOUND !
C:\WINDOWS\waol.exe FOUND !
C:\WINDOWS\win32e.exe FOUND !
C:\WINDOWS\win64.exe FOUND !
C:\WINDOWS\winajbm.dll FOUND !
C:\WINDOWS\window.exe FOUND !
C:\WINDOWS\wininet32.exe FOUND !
C:\WINDOWS\winmgnt.exe FOUND !
C:\WINDOWS\x.exe FOUND !
C:\WINDOWS\xplugin.dll FOUND !
C:\WINDOWS\xxxvideo.hta FOUND !
C:\WINDOWS\y.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ace16win.dll FOUND !
C:\WINDOWS\system32\iewd.exe FOUND !
C:\WINDOWS\system32\kernels64.exe FOUND !
C:\WINDOWS\system32\lfd.dat FOUND !
C:\WINDOWS\system32\msmsn.exe FOUND !
C:\WINDOWS\system32\msvol.tlb FOUND !
C:\WINDOWS\system32\ncompat.tlb FOUND !
C:\WINDOWS\system32\oiso.bin FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\pcf.pdf FOUND !
C:\WINDOWS\system32\perfont.exe FOUND !
C:\WINDOWS\system32\performent202.dll FOUND !
C:\WINDOWS\system32\proqlaim.exe FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\vxh8jkdq?.exe FOUND !
C:\WINDOWS\system32\win32hp.dll FOUND !
C:\WINDOWS\system32\winmuse.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bob's Photo


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bob's Photo\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BOB'SP~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



____________________________________________________________

Incident Status Location

Adware:adware/netword Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Bob's Photo\Application Data\Mozilla\Profiles\default\of0zc65i.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Bob's Photo\Cookies\bob's photo@counter.hitslink[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Bob's Photo\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Program Files\AGFA\FilmOnCD\Pskill.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Program Files\Common Files\Wise Installation Wizard\WISBC370C6129D248669D0DCBED789DA398_2_1_0.MSI[unk_0032][Pskill.exe]
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\intr32.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
hiofisr
Active Member
 
Posts: 14
Joined: October 24th, 2006, 2:54 pm

Unread postby Navigator » November 21st, 2006, 10:15 pm

hello hiofsr...welcome back.

Did you do the smitfraudfix option 2 - clean instructions in my previous post? That smitfraudfix log you posted was the same log you posted before (the option 1) log...the date-time stamp is identical.

If you did the option 2 part, I need you to go to this file on your computer: C:\rapport.txt

Copy and paste the contents of that file here so that I can see what was cleaned...

if you did not do the smitfraudfix option 2 part of my last set of instructions to you, let me know....In the two weeks you've been gone, smitfraudfix has been updated 4 times...the current version of the fix is ver 2.123, so we will delete/redownload the program before running option 2.

Hope this makes sense....
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby hiofisr » November 21st, 2006, 10:33 pm

Not sure what I did, here's one from just now, on the latest version:

SmitFraudFix v2.123

Scan done at 20:22:28.82, Tue 11/21/2006
Run from C:\Documents and Settings\Bob's Photo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
hiofisr
Active Member
 
Posts: 14
Joined: October 24th, 2006, 2:54 pm

Unread postby Navigator » November 21st, 2006, 10:47 pm

Well, that smitfraudfix log is clean....great! How is your system running now? The Panda Scan didn't show much either....

1. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

2. Please delete these files using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:


C:\WINDOWS\system32\intr32.dll


3. Post back with a new HJT log and let me know if your computer is having any problems...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby hiofisr » November 24th, 2006, 3:00 pm

The system is running great after all your help, except that I can't make the windows firewall turn on. I'm still looking into that via the microsoft knowledge base. It appears there are some files missing that can be reinstalled.
I will be away from that computer for a while now, so I will continue acting out your instructions when I get back. Thank you for now.
hiofisr
Active Member
 
Posts: 14
Joined: October 24th, 2006, 2:54 pm

Unread postby Navigator » November 24th, 2006, 3:30 pm

You are welcome....!

Remember, as Whisperer told you earlier, the Windows firewall is very limited even when functional. Security experts recommend a software firewall be installed for full incoming and outgoing protection.

Follow Whisperer's earlier advice and links regarding obtaining a software firewall would be my recommendation!
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 293 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware