Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijacked

Unread postby vrtcheech » September 10th, 2007, 10:32 am

Logfile of HijackThis v1.99.1
Scan saved at 9:07:33 AM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {47B83D78-F986-4E96-9769-2C55EF14DA0B} - C:\WINDOWS\system32\__c00854BC.dat
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm005YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C4A26.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

getting tons of ie windows
vrtcheech
Active Member
 
Posts: 4
Joined: September 10th, 2007, 10:15 am
Advertisement
Register to Remove

Unread postby Simon V. » September 10th, 2007, 11:16 am

    Hello, and welcome to the forum.

    My name is Simon V., and I'll be glad to help you with your computer problems.

    HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happens.
    I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

    Please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

hello?

Unread postby vrtcheech » September 11th, 2007, 10:12 am

Does no more posts mean i have no problems?
vrtcheech
Active Member
 
Posts: 4
Joined: September 10th, 2007, 10:15 am

Unread postby Simon V. » September 11th, 2007, 10:39 am

No, it means my post is being checked by an Admin. I will have a reply for you shortly.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby Simon V. » September 11th, 2007, 1:22 pm

    Hi :)

    ATF Cleaner

  • Please download ATF Cleaner.

    Double-click on ATF-Cleaner.exe to start the program.
    Under the Main tab, put a check next to 'Select All'.
    Click the 'Empty Selected' button. (Note: if you select cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck 'Cookies')

    If you use the Firefox browser:
    Click on Firefox at the top and put a check next to 'Select All'.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the 'Empty Selected' button. (Note: if you select cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck 'Cookies').

    If you use the Opera browser:
    Click on Opera at the top and put a check next to 'Select All'.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the 'Empty Selected' button. (Note: if you select cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck 'Cookies')

    ComboFix
  • Please download Combofix from one of the links below:

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
  • Double-click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Save it to a convenient location.
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Run Kaspersky Online Scan
  • Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:
        Extended (if available otherwise Standard)
      • Scan Options:
        Scan Archives Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
        Select My Computer
    • The program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Report Back
  • Please post the reports from Combofix and the Kaspersky Online Scan, along with a new HijackThis log in your next reply.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Here ya go

Unread postby vrtcheech » September 12th, 2007, 11:11 am

ComboFix 07-09-10.6 - "adminski" 2007-09-12 8:21:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.79 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\adminski\Desktop\internet.lnk
C:\drsmartload.exe
C:\WINDOWS\system32\__c00854BC.dat
C:\WINDOWS\system32\__c00C4A26.dat
C:\WINDOWS\system32\muvdjo.dll


((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 08:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 15:44 <DIR> d-------- C:\Program Files\BYOND
2007-09-07 10:42 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-02 02:37 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-15 20:53 <DIR> d-------- C:\DOCUME~1\adminski\APPLIC~1\WinRAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 12:51 --------- d-------- C:\Program Files\Common Files\Real
2007-09-10 12:49 --------- d-------- C:\Program Files\Compedia
2007-09-07 14:40 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\LimeWire
2007-09-06 05:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 05:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 05:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 05:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 05:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 05:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-06 05:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-15 10:22 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\BYOND
2007-08-11 21:50 --------- d-------- C:\Program Files\Doras Carnival Adventure
2007-08-11 21:50 --------- d-------- C:\Program Files\BFG
2007-08-10 17:45 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\Apple Computer
2007-08-08 16:07 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-08-05 00:59 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-05 00:58 --------- d-------- C:\Program Files\QuickTime
2007-08-05 00:56 --------- d-------- C:\Program Files\Apple Software Update
2007-08-05 00:55 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-05 00:54 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-04 22:09 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\Move Networks
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-26 21:50 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-26 21:49 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\InterTrust
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-16 21:00 774144 --a------ C:\Program Files\RngInterstitial.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\__c00C4A26.dat

R3 rtl8029;Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8029.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 07:32:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 08:26:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 8:29:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-12 08:28
.
--- E O F ---


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, September 12, 2007 10:03:27 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 12/09/2007
Kaspersky Anti-Virus database records: 412652
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 30462
Number of viruses found: 21
Number of infected objects: 58
Number of suspicious objects: 0
Duration of the scan process: 00:47:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\adminski\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\adminski\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\adminski\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\adminski\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{90244FD0-2B0D-4216-BBB3-1C1298D2389C} Object is locked skipped
C:\Documents and Settings\adminski\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\adminski\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\adminski\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\adminski\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-09072007-104336.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\muvdjo.dll.vir Infected: Trojan-Downloader.Win32.Agent.czz skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\__c00854BC.dat.vir Infected: Trojan.Win32.BHO.df skipped
C:\qoobox\Quarantine\catchme2007-09-12_ 82627.59.zip/__c00C4A26.dat Infected: Trojan.Win32.BHO.df skipped
C:\qoobox\Quarantine\catchme2007-09-12_ 82627.59.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP25\A0012362.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP30\A0014453.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP30\A0014455.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP30\A0014466.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP6\A0003421.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP67\A0021245.dll Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP67\A0021246.exe Infected: Trojan-Downloader.Win32.Zlob.chk skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP67\A0021247.exe Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP70\A0021274.dll Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP70\A0021275.exe Infected: Trojan-Downloader.Win32.Zlob.chk skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP70\A0021276.exe Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021401.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021409.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021411.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021412.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021413.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021414.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021415.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021416.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021417.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021418.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021419.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021420.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021421.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021422.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021424.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021425.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021427.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021429.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021430.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021431.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021432.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021433.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021434.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021435.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021447.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021449.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021453.dll Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021454.exe Infected: Trojan-Downloader.Win32.Zlob.chk skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021455.exe Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021458.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021462.dll Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021463.exe Infected: Trojan-Downloader.Win32.Zlob.chk skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP71\A0021464.exe Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP74\A0021470.exe Infected: not-a-virus:FraudTool.Win32.VirusProtectPro.g skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP74\A0021475.exe Infected: Trojan-Downloader.Win32.Zlob.chk skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP74\A0021476.exe Infected: Trojan-Downloader.Win32.Zlob.chk skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP74\A0021478.exe Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP74\A0021479.exe Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP74\A0021486.dll Infected: Trojan-Downloader.Win32.Zlob.cgw skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP74\A0021625.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cgn skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP74\A0021625.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP77\A0022667.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP80\A0022857.dll Infected: Trojan-Downloader.Win32.Agent.czz skipped
C:\System Volume Information\_restore{E77670F5-CB2F-4DB8-9B0E-72AAF2139BC6}\RP80\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E86AA122-3B3A-4AE7-877E-E59D985BFBDB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_514.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 10:06:16 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C4A26.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
vrtcheech
Active Member
 
Posts: 4
Joined: September 10th, 2007, 10:15 am

Unread postby Simon V. » September 13th, 2007, 1:20 am

    Hi :) I'm sorry for the delay in replying.

    P2P Warning

  • I understand that downloading music and other files may be important to you; however, the P2P programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

    Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via P2P filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

    Here is some information that looks at the rates of infection:

    http://www.benedelman.org/spyware/p2p/

    With that being said, I recommend that you remove the following P2P program(s):

    Limewire

    SmitfraudFix
  • Please download SmitfraudFix (By S!ri).
    • Double-click on SmitfraudFix.exe. A screen will pop up. Select Option 1 (Search) by typing 1 and hit enter. A text file will appear, which will list the infected files. Save it to a convenient location.
    • The log will also be saved here: C:\rapport.txt
    • Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    Combofix
  • Open Notepad, and copy/paste the text in the quotebox below into it:

    Code: Select all
    File::
    
    C:\WINDOWS\system32\__c00C4A26.dat 
    C:\WINDOWS\drsmartload.dat
    
    Registry::
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=""
    [-HKEY_CURRENT_USER\Software\Microsoft\drsmartload]

  • Save this as "CFScript".

    Image
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • It will create a log. Save it to a convenient location.

    Make an Uninstall List
  • To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file. Please post the Uninstall List, along with the reports from Combofix and SmitfraudFix, and a new HijackThis log in your next reply.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby vrtcheech » September 14th, 2007, 11:49 am

ComboFix 07-09-10.6 - "adminski" 2007-09-13 9:25:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.75 [GMT -5:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\__c00C4A26.dat
C:\WINDOWS\drsmartload.dat
.

((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-13 09:19 642 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-13 09:18 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-13 09:18 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-13 09:18 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-13 09:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-12 14:46 <DIR> d-------- C:\Program Files\BYOND
2007-09-12 08:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-12 08:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-12 08:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-07 10:42 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-02 02:37 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-15 20:53 <DIR> d-------- C:\DOCUME~1\adminski\APPLIC~1\WinRAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 12:51 --------- d-------- C:\Program Files\Common Files\Real
2007-09-10 12:49 --------- d-------- C:\Program Files\Compedia
2007-09-07 14:40 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\LimeWire
2007-09-06 05:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 05:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 05:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 05:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 05:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-15 10:22 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\BYOND
2007-08-11 21:50 --------- d-------- C:\Program Files\Doras Carnival Adventure
2007-08-11 21:50 --------- d-------- C:\Program Files\BFG
2007-08-10 17:45 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\Apple Computer
2007-08-08 16:07 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-08-05 00:59 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-05 00:58 --------- d-------- C:\Program Files\QuickTime
2007-08-05 00:56 --------- d-------- C:\Program Files\Apple Software Update
2007-08-05 00:55 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-05 00:54 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-04 22:09 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\Move Networks
2007-07-26 21:50 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-26 21:49 --------- d-------- C:\DOCUME~1\adminski\APPLIC~1\InterTrust
2007-06-16 21:00 774144 --a------ C:\Program Files\RngInterstitial.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-12_ 82807.29 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 213,048 2005-05-24 16:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-09-07 16:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-09-07 16:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
----atw 16,384 2007-09-13 14:11:27 C:\WINDOWS\Temp\Perflib_Perfdata_4b0.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]

R3 rtl8029;Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8029.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 14:14:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 13:23:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-13 13:25:16
C:\ComboFix-quarantined-files.txt ... 2007-09-13 13:24
C:\ComboFix2.txt ... 2007-09-12 08:29
.
--- E O F ---
SmitFraudFix v2.223

Scan done at 13:23:34.25, 2007-09-13
Run from C:\Documents and Settings\adminski\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Description: Realtek RTL8029(AS)-based Ethernet Adapter (Generic) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7CC436FE-8972-44FD-9D28-922C0286E82B}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7CC436FE-8972-44FD-9D28-922C0286E82B}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7CC436FE-8972-44FD-9D28-922C0286E82B}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Description: Realtek RTL8029(AS)-based Ethernet Adapter (Generic) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7CC436FE-8972-44FD-9D28-922C0286E82B}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7CC436FE-8972-44FD-9D28-922C0286E82B}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7CC436FE-8972-44FD-9D28-922C0286E82B}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

SmitFraudFix v2.223

Scan done at 9:19:21.73, Thu 09/13/2007
Run from C:\Documents and Settings\adminski\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\adminski


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\adminski\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\adminski\FAVORI~1

C:\DOCUME~1\adminski\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\__c00C4A26.dat"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8029(AS)-based Ethernet Adapter (Generic) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7CC436FE-8972-44FD-9D28-922C0286E82B}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7CC436FE-8972-44FD-9D28-922C0286E82B}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7CC436FE-8972-44FD-9D28-922C0286E82B}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 10:37:06 AM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)





sorry didnt get a chance at the uninstall list , but if i must i will, although i have no unidentified installs
vrtcheech
Active Member
 
Posts: 4
Joined: September 10th, 2007, 10:15 am

Unread postby Simon V. » September 14th, 2007, 1:06 pm

    Hi :)

  • Please follow my instructions as I post them, and post the Uninstall List in your next reply, along with all other logs requested.

    ATF Cleaner
  • Please download ATF Cleaner.

    Double-click on ATF-Cleaner.exe to start the program.
    Under the Main tab, put a check next to 'Select All'.
    Click the 'Empty Selected' button. (Note: if you select cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck 'Cookies')

    If you use the Firefox browser:
    Click on Firefox at the top and put a check next to 'Select All'.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the 'Empty Selected' button. (Note: if you select cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck 'Cookies').

    If you use the Opera browser:
    Click on Opera at the top and put a check next to 'Select All'.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the 'Empty Selected' button. (Note: if you select cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck 'Cookies')

    AVG Anti-Spyware
  • Please download and install AVG Anti-Spyware.

    After the installation, open AVG Anti-Spyware and do the following:
    • Under 'Status', click on Change state, next to 'Resident shield' (this will change from Active to Inactive)
    • Under the 'Update' tab, click on 'Start update'.
    • Under 'Scanner', click on the 'Settings' tab:
      • Under 'How to act?', click on 'Recommended actions', and select Quarantine.
      • Under 'Reports', select 'Do not automatically generate reports'.
    Close AVG Anti-Spyware. Do not let it scan yet.

    Safe Mode
  • Print these instructions or copy them to Notepad and save it to your desktop, as you won't be able to access internet in Safe Mode.
  • Please reboot into Safe Mode. To do this, go to Start>Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking)

    SmitfraudFix
  • Double-click on Smifraudfix.exe.
    • A screen will pop up. Select Option 2 (Clean) by typing 2 and hit Enter.
    • You will be prompted: 'Registry Cleaning - Do you want to clean the registry?' Answer Yes by typing Y and press Enter in order to clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file; answer Yes by typing Y and hit Enter.
    • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart Windows into Normal Mode.
    • A text file will appear onscreen, with results from the cleaning process; please copy the content of that report and paste it in your next reply. The report can also be found at C:\rapport.txt.
  • Warning: running option #2 on a non infected computer will remove your desktop background.

    AVG Anti-Spyware
  • Please open AVG Anti-Spyware.
    • Click on the 'Scan' tab.
    • Click on 'Complete System Scan' to start the scan process.
    • After the scan, do the following:
        Important: Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not, click on the link and select 'Quarantine' from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
      • When done, click the 'Save Report' (4) button, and save the file to your Desktop.
    Image.
  • Restart your computer in Normal Mode.

    Report Back
  • Please post the reports from AVG Anti-Spyware, Smitfraudfix and the Uninstall List, along with a new HijackThis log in your next reply.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby Simon V. » September 19th, 2007, 7:28 am

Are you still with me? If any of my instructions are unclear to you, please say so.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby Rogue » September 22nd, 2007, 11:24 am

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Rogue
MRU Teacher Emeritus
 
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 489 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware