Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Infected Need Help A.s.a.p. Please


  • This topic is locked This topic is locked
3 replies to this topic

#1 bongripper

bongripper

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redlands, California
  • Local time:07:03 PM

Posted 17 November 2007 - 06:47 PM

Here is my hijackthis log. Please refer to this post: http://www.bleepingcomputer.com/forums/t/117017/im-infected-need-help-asap-please/

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:00 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SR\SRLogon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Sr\SrLogon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Steam\Steam.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\SR\agentsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SR\AgentFrm.exe
C:\Program Files\Sr\Compnts\Vr\pavsrv51.exe
C:\Program Files\Sr\Compnts\Vr\AVENGINE.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\HiJack This\HiJackThis.exe

O2 - BHO: MSVPS System - {6A78E352-B1FA-4C18-9C48-96DD03979770} - C:\WINDOWS\popnetmtq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: The jokwmp - {6BA27973-068D-4F85-BE84-1251E0B20FD3} - C:\WINDOWS\jokwmp.dll
O4 - HKLM\..\Run: [MbWzdFPAP-EXL540] E:\PdtGuide.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Anti-CyberCrime Agent] C:\Program Files\SR\SRLogon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Sr Agent] "C:\Program Files\Sr\SrLogon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://152.1.131.130/activex/AMC.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://141.225.28.41/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://64.21.226.243/activex/AMC.cab
O21 - SSODL: rmvgor - {CB8A3D4E-1327-4DF3-8B1A-7F7CBD9EAE84} - C:\WINDOWS\rmvgor.dll
O21 - SSODL: sapnet - {3D0AD611-09AA-4BC9-A265-0E4DFC22AFA8} - C:\WINDOWS\sapnet.dll
O23 - Service: Secure Resolutions Agent (AgentService) - Secure Resolutions, Inc - C:\Program Files\SR\agentsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda anti-virus service - Panda Software - C:\WINDOWS\system32\Drivers\pavsrv51.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Sr\Compnts\Vr\pavsrv51.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://t1.images.live.com/images/thumbnail...4b9b32d40456fd6
O24 - Desktop Component 1: (no name) - http://t3.images.live.com/images/thumbnail...bad90625a872ee0
O24 - Desktop Component 2: (no name) - http://t4.images.live.com/images/thumbnail...a69acb62b53f134
O24 - Desktop Component 3: (no name) - http://t3.images.live.com/images/thumbnail...eba0aff8d1b83e2
O24 - Desktop Component 4: (no name) - http://t3.images.live.com/images/thumbnail...9202047c19d5333
O24 - Desktop Component 5: (no name) - http://t3.images.live.com/images/thumbnail...c05e3f8ee2c9025
O24 - Desktop Component 6: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5836 bytes

Edited by bongripper, 17 November 2007 - 07:42 PM.


BC AdBot (Login to Remove)

 


#2 bongripper

bongripper
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redlands, California
  • Local time:07:03 PM

Posted 17 November 2007 - 08:04 PM

Here also are the results of my Panda Active Scan Test:


Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adserver.easyad[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adserver.filefront[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bfast[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c5.zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Owner\Cookies\owner@enhance[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hc2.humanclick[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@klik.klikadvertising[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Owner\Cookies\owner@landing.domainsponsor[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Cookies\owner@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
Spyware:Cookie/Smartadserver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@smartadserver[1].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Owner\Cookies\owner@spylog[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix\restart.exe
Virus:Bck/Ciadoor.FQ Disinfected C:\Documents and Settings\Owner\Desktop\Turbo Crack 1.0\Tbot0527\Show\Trainshow.bat
Virus:Bck/Ciadoor.FQ Not disinfected C:\Documents and Settings\Owner\Desktop\Turbo Crack 1.0\Tbot0527.rar[Tbot0527\Show\Trainshow.bat]
Virus:Bck/Ciadoor.FQ Not disinfected C:\Documents and Settings\Owner\Desktop\TurboCrack1.0.rar[Turbo Crack 1.0\Tbot0522.rar][Tbot0522\Show\Trainshow.bat]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@247realmedia[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@fastclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@hg1.hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@server.iad.liveperson[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@statcounter[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@toplist[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@zedo[2].txt
Virus:Trj/Agent.GPP Not disinfected C:\Documents and Settings\Owner\My Documents\HoH_Hook.rar[hack.exe]
Virus:Bck/Ciadoor.FQ Not disinfected C:\Program Files\Silkroad\Turbo Crack 1.0\Tbot0522.rar[Tbot0522\Show\Trainshow.bat]

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:03 PM

Posted 25 November 2007 - 11:53 PM

Hello bongripper,

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again!

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:03 PM

Posted 18 December 2007 - 12:44 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users