Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winsoftware, Winantivuruspro2007, Zlob Dns Changer, More


  • This topic is locked This topic is locked
14 replies to this topic

#1 bleepedindeed

bleepedindeed

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 16 October 2007 - 06:54 PM

google being hijacked. Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:05 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\alg.exe

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 AM

Posted 17 October 2007 - 04:07 AM

Hello bleepedindeed,

Welcome to Bleeping Computer :thumbsup:

Please post a complete HijackThis log. The other one was cut off.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 17 October 2007 - 05:12 PM

Try 2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:05 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\downloads\hijackthis\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7873 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 AM

Posted 17 October 2007 - 06:36 PM

Hello,

Thanks for that. :thumbsup:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 18 October 2007 - 04:56 PM

Here it is:

SmitFraudFix v2.240

Scan done at 17:54:35.85, Thu 10/18/2007
Run from C:\downloads\smithfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Doug


C:\Documents and Settings\Doug\Application Data


Start Menu


C:\DOCUME~1\Doug\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sockspy.dll"


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdvnc.exe"

kdvnc.exe detected !


Rustock



DNS

Description: NVIDIA nForce MCP Networking Adapter - Packet Scheduler Miniport
DNS Server Search Order: 208.67.220.220
DNS Server Search Order: 208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


Scanning for wininet.dll infection


End

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 AM

Posted 18 October 2007 - 05:01 PM

Hello,

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background. So only run it once!


Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 19 October 2007 - 01:10 AM

okay hijack first:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:22 AM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\downloads\hijackthis\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8074 bytes

Then:
SmitFraudFix v2.240

Scan done at 1:53:21.48, Fri 10/19/2007
Run from C:\downloads\smithfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.13 167.206.251.14 167.206.251.77
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdvnc.exe"

Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


Reboot

C:\WINDOWS\system32\kdvnc.exe Deleted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


End

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 AM

Posted 19 October 2007 - 01:12 PM

Hello,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A7A1B49-8EED-4E8A-BBC0-E482BE72804F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{79C95AC9-211A-4CC1-BC4F-7924D8AA5BD9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0B39BD-8FCF-48FF-8BCE-C426ACB1DBE8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BBDE963-9B5C-412D-9F0B-060F84AF9AD9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

In your reply, please post a new HijackThis log and let me know how it's running now. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 20 October 2007 - 02:09 AM

IE works again! Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:27 AM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\downloads\hijackthis\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7133 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 AM

Posted 20 October 2007 - 02:25 PM

Hello,

Outstanding!! :thumbsup: That log looks good too. Could you please run a full scan with Bit Defender now and let me know what it finds, if anything?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 21 October 2007 - 01:47 PM

trojan generic 5341 & trojan generic 25703. Both still there

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 AM

Posted 21 October 2007 - 03:47 PM

Can I see the report please? I need to see the path and location. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 23 October 2007 - 08:14 PM

Ran again today. Here it is:

//-----------------------------------------------------------------
//
// Product BitDefender Free Edition v10
// Product 10.2
//
// Created on: 23/10/2007 20:31:55
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
D:\
Folders : 3710
Files : 131591
Memory processes scanned : 42
Archives : 1788
Runtime packers : 5564
Identified viruses : 5
Infected files : 12
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 6
Moved files : 0
I/O errors : 27
Scan time : 00:40:34
Scan speed (files/sec) : 54

Spyware Statistics

Registry keys scanned : 1612
Registry keys infected : 0
Cookies scanned : 29
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0


Virus definitions : 934873
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 7
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1193185915.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\10.tmp=>(NSIS o)=>lzma_solid_nsis0001 Detected: Adware.ISM.B
C:\10.tmp=>(NSIS o)=>lzma_solid_nsis0001 Deleted
C:\10.tmp=>(NSIS o) Archive repacking has failed (marked actions not taken)
C:\10.tmp=>(NSIS o)=>lzma_solid_nsis0002 Detected: Adware.ISM.B
C:\10.tmp=>(NSIS o)=>lzma_solid_nsis0002 Deleted
C:\10.tmp=>(NSIS o) Archive repacking has failed (marked actions not taken)
C:\19.tmp=>(NSIS o)=>lzma_solid_nsis0001 Detected: Adware.ISM.B
C:\19.tmp=>(NSIS o)=>lzma_solid_nsis0001 Deleted
C:\19.tmp=>(NSIS o) Archive repacking has failed (marked actions not taken)
C:\19.tmp=>(NSIS o)=>lzma_solid_nsis0002 Detected: Adware.ISM.B
C:\19.tmp=>(NSIS o)=>lzma_solid_nsis0002 Deleted
C:\19.tmp=>(NSIS o) Archive repacking has failed (marked actions not taken)
C:\qoobox\Quarantine\C\2.tmp.vir=>(NSIS o)=>zlib_nsis0001 Detected: Adware.Purityscan.BH
C:\qoobox\Quarantine\C\2.tmp.vir=>(NSIS o)=>zlib_nsis0001 Disinfection failed
C:\qoobox\Quarantine\C\2.tmp.vir=>(NSIS o)=>zlib_nsis0001 Move failed
C:\qoobox\Quarantine\C\6.tmp.vir=>(NSIS o)=>zlib_nsis0001 Detected: Adware.Purityscan.BH
C:\qoobox\Quarantine\C\6.tmp.vir=>(NSIS o)=>zlib_nsis0001 Disinfection failed
C:\qoobox\Quarantine\C\6.tmp.vir=>(NSIS o)=>zlib_nsis0001 Move failed
C:\qoobox\Quarantine\C\D.tmp.vir=>(NSIS o)=>zlib_nsis0001 Detected: Adware.Purityscan.BH
C:\qoobox\Quarantine\C\D.tmp.vir=>(NSIS o)=>zlib_nsis0001 Disinfection failed
C:\qoobox\Quarantine\C\D.tmp.vir=>(NSIS o)=>zlib_nsis0001 Move failed
C:\qoobox\Quarantine\C\WINDOWS\system32\chks2\MSI17bb.exe.vir=>(NSIS o)=>lzma_solid_nsis0001 Detected: Adware.ISM.B
C:\qoobox\Quarantine\C\WINDOWS\system32\chks2\MSI17bb.exe.vir=>(NSIS o)=>lzma_solid_nsis0001 Deleted
C:\qoobox\Quarantine\C\WINDOWS\system32\chks2\MSI17bb.exe.vir=>(NSIS o) Archive repacking has failed (marked actions not taken)
C:\qoobox\Quarantine\C\WINDOWS\system32\chks2\MSI17bb.exe.vir=>(NSIS o)=>lzma_solid_nsis0002 Detected: Adware.ISM.B
C:\qoobox\Quarantine\C\WINDOWS\system32\chks2\MSI17bb.exe.vir=>(NSIS o)=>lzma_solid_nsis0002 Deleted
C:\qoobox\Quarantine\C\WINDOWS\system32\chks2\MSI17bb.exe.vir=>(NSIS o) Archive repacking has failed (marked actions not taken)
C:\qoobox\Quarantine\C\WINDOWS\system32\DLL2\MMEMDT83122.exe.vir=>(NSIS o)=>zlib_nsis0001 Detected: Adware.TTC
C:\qoobox\Quarantine\C\WINDOWS\system32\DLL2\MMEMDT83122.exe.vir=>(NSIS o)=>zlib_nsis0001 Disinfection failed
C:\qoobox\Quarantine\C\WINDOWS\system32\DLL2\MMEMDT83122.exe.vir=>(NSIS o)=>zlib_nsis0001 Move failed
C:\qoobox\Quarantine\C\WINDOWS\system32\DLL2\MMEMDT83122.exe.vir=>(NSIS o)=>zlib_nsis0003 Detected: Adware.TTC.B
C:\qoobox\Quarantine\C\WINDOWS\system32\DLL2\MMEMDT83122.exe.vir=>(NSIS o)=>zlib_nsis0003 Disinfection failed
C:\qoobox\Quarantine\C\WINDOWS\system32\DLL2\MMEMDT83122.exe.vir=>(NSIS o)=>zlib_nsis0003 Move failed
D:\storage\forms\movies\maledom\dvicodec4158.exe=>(NSIS o)=>bzip2_nsis0000 Infected: Trojan.DNSCHanger.QP
D:\storage\forms\movies\maledom\dvicodec4158.exe=>(NSIS o)=>bzip2_nsis0000 Disinfection failed
D:\storage\forms\movies\maledom\dvicodec4158.exe=>(NSIS o)=>bzip2_nsis0000 Move failed

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 AM

Posted 24 October 2007 - 01:01 PM

trojan generic 5341 & trojan generic 25703. Both still there

Where? :thumbsup: There was nothing of the sort in the scan report. Looks like you got a bad codec though and need to delete it manually : dvicodec4158.exe found at : D:\storage\forms\movies\maledom\dvicodec4158.exe

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 AM

Posted 05 November 2007 - 03:58 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users