Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud Infection? Spyware?


  • Please log in to reply
6 replies to this topic

#1 melissagordon

melissagordon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 05 February 2008 - 12:51 PM

I hope I am doing this right, I have a PC running windows XP and yesterday morning I started to receive multiple pop ups from the toolbar stating spyware has been found on my computer click here to fix, or something like download the latest antispyware and run FULL SYSTEM SCAN to remove viruses. I knew these messages weren't legit so I ran a scan with Norton and Norton didn't find anything so I tried using PC-Cillin, PC-Cillin found a few things but after I fixed and rebooted the same problems were occuring. So, I download spybot search and destroy and it found several things and I fixed but when I rebooted logged back in I had the same problems. So I downloaded Hijack this and below is the log file. I also tried to run updates from Microsoft and McAfee stinger but whatever is on my computer is keeping me from going to those sites.

Also, my desktop has changed to a completely blue back ground with "Warning:Spyware threat has been detected on PC" "Your computer has several fatal errors due to spyware activitiy"

Can anyone help me get rid of this thing that is on my PC?

Thank you so much for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:36 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SysAid\IliAS.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\system32\bisumak.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZipm12.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...l?noreloadredir
O16 - DPF: {0839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 8.0 object) - http://parissrvr2/paradigm/Install/MBCINSTaller80.dll
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://parissrvr/paradigm/Install/CPOPM04C...OPM04Client.cab
O16 - DPF: {1C085232-4C7B-432D-8C19-66F728090661} - http://parissrvr/paradigm/Install/CPOPM04G...ldClientSP4.cab
O16 - DPF: {32D5CED5-16D3-44C9-82FB-E4FE9A586A37} - http://parissrvr2/paradigm/Install/MBCTHIN06/MBCThin06.cab
O16 - DPF: {49575356-0C7B-4D8C-9511-9E487F03C8B4} - http://parissrvr/paradigm/Install/CPOPM04G...ldClientSP1.cab
O16 - DPF: {8FA55EAE-D88A-4954-88AF-AE35C965BEA0} - http://parissrvr2/paradigm/Install/CPS_200...2006_Client.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://www.americangreetings.6184511.com/ultrashim.cab
O16 - DPF: {BFF67C9E-E313-49BF-A131-165BB968E095} - http://parissrvr/paradigm/Install/MBCThin04/MBCThin04.cab
O16 - DPF: {C9374BEE-BEF2-4D32-8DF3-CD6E8E6DAEBE} - http://parissrvr2/paradigm/Install/Express...pressBill06.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - https://telerad.parisrmc.com/plugins/jre/1_..._1_4_silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D651C664-D66B-4D7C-85A6-2796DAA923AD} - http://parissrvr2/paradigm/Install/FSAvail...SAvaility80.cab
O16 - DPF: {E2866480-BB37-4492-B313-CAA3E22128EA} - http://parissrvr2/paradigm/Install/CPS_200...2006_Client.cab
O16 - DPF: {E5855096-43F4-47CF-8723-BAFC1759AFDC} - http://parissrvr/paradigm/Install/CPOPM04G...ldClient710.cab
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://parissrvr/paradigm/Install/MBCINSTaller70.dll
O16 - DPF: {FB7D5792-3308-45B2-9FEB-D04917D440EC} - http://parissrvr/paradigm/Install/ExpressB...pressBill04.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = POC.local
O17 - HKLM\Software\..\Telephony: DomainName = POC.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E95F6876-9CDF-4007-9C0C-6D53022B8AA7}: NameServer = 10.3.25.212,66.76.2.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = POC.local
O21 - SSODL: Bifikey - {60773A8A-096D-4BDE-A510-BA78FA0009D4} - C:\WINDOWS\system32\madarlog.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SysAid Agent (SysAidAgent) - Ilient Ltd. - C:\Program Files\SysAid\IliAS.exe
O23 - Service: System Event Dispatcher - Unknown owner - C:\WINDOWS\system32\bisumak.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 10163 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 February 2008 - 03:30 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
From your log it appears that you are missing one important program: an antivirus. This is somewhat suicidal in today's digital world. Without one you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing.
Here are some great free antivirus programs:
Antivir, Avast!, AVG, Bitdefender Free
Install one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.

Please include rapport.txt, along with a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 melissagordon

melissagordon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 05 February 2008 - 05:39 PM

Here is the new hijackthis report



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:27, on 2008-02-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SysAid\IliAS.exe
C:\WINDOWS\system32\bisumak.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O10 - Unknown file in Winsock LSP: rsvp322.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...l?noreloadredir
O16 - DPF: {0839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 8.0 object) - http://parissrvr2/paradigm/Install/MBCINSTaller80.dll
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://parissrvr/paradigm/Install/CPOPM04C...OPM04Client.cab
O16 - DPF: {1C085232-4C7B-432D-8C19-66F728090661} - http://parissrvr/paradigm/Install/CPOPM04G...ldClientSP4.cab
O16 - DPF: {32D5CED5-16D3-44C9-82FB-E4FE9A586A37} - http://parissrvr2/paradigm/Install/MBCTHIN06/MBCThin06.cab
O16 - DPF: {49575356-0C7B-4D8C-9511-9E487F03C8B4} - http://parissrvr/paradigm/Install/CPOPM04G...ldClientSP1.cab
O16 - DPF: {8FA55EAE-D88A-4954-88AF-AE35C965BEA0} - http://parissrvr2/paradigm/Install/CPS_200...2006_Client.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://www.americangreetings.6184511.com/ultrashim.cab
O16 - DPF: {BFF67C9E-E313-49BF-A131-165BB968E095} - http://parissrvr/paradigm/Install/MBCThin04/MBCThin04.cab
O16 - DPF: {C9374BEE-BEF2-4D32-8DF3-CD6E8E6DAEBE} - http://parissrvr2/paradigm/Install/Express...pressBill06.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - https://telerad.parisrmc.com/plugins/jre/1_..._1_4_silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D651C664-D66B-4D7C-85A6-2796DAA923AD} - http://parissrvr2/paradigm/Install/FSAvail...SAvaility80.cab
O16 - DPF: {E2866480-BB37-4492-B313-CAA3E22128EA} - http://parissrvr2/paradigm/Install/CPS_200...2006_Client.cab
O16 - DPF: {E5855096-43F4-47CF-8723-BAFC1759AFDC} - http://parissrvr/paradigm/Install/CPOPM04G...ldClient710.cab
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://parissrvr/paradigm/Install/MBCINSTaller70.dll
O16 - DPF: {FB7D5792-3308-45B2-9FEB-D04917D440EC} - http://parissrvr/paradigm/Install/ExpressB...pressBill04.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = POC.local
O17 - HKLM\Software\..\Telephony: DomainName = POC.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E95F6876-9CDF-4007-9C0C-6D53022B8AA7}: NameServer = 10.3.25.212,66.76.2.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = POC.local
O21 - SSODL: Bifikey - {60773A8A-096D-4BDE-A510-BA78FA0009D4} - C:\WINDOWS\system32\madarlog.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SysAid Agent (SysAidAgent) - Ilient Ltd. - C:\Program Files\SysAid\IliAS.exe
O23 - Service: System Event Dispatcher - Unknown owner - C:\WINDOWS\system32\bisumak.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 11140 bytes

#4 melissagordon

melissagordon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 05 February 2008 - 05:43 PM

The rapport.txt is attached

and below is the results of the virus scan that i ran via bitdefender.

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="C:\Program Files\BitDefender\BitDefender 2008\Lang\log_format.xsl"?>
<ScanSession creator="BitDefender Antivirus 2008" version="BitDefender UIScanner v.11" creationDate="16:10:23 05/02/2008" originalPath="C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\full_scan\1202249423_1_02.xml">
<ScanOptions
showWarnings="1" >
<ScanPaths>
<path id="0000">C:\</path>
</ScanPaths>
<ScanObjects
scanViruses="1"
scanAddware="1"
scanSpyware="1"
scanApplications="1"
scanDialers="1"
scanRootkits="1"
/>
<TargetSelection
heuristicScan="1"
scanArchives="0"
scanRegistryKeys="1"
scanRegistry="1"
scanCookies="1"
memoryProcesses="1"
scanBootSectors="1"
scanEmail="1"
scanAllFiles="1"
scanPackedFiles="1"
scanSubfolders="0"
includeExtensions=""
/>
<TargetProcessing
infectedAction="3"
suspiciousAction="1"
hiddenAction="1"
/>
</ScanOptions>
<EngineSummary
archivePlugins="41"
mailPlugins="6"
scanPlugins="12"
totalSignatures="979129"
systemPlugins="4"
unpackPlugins="7"
/>
<ScanSummary
scannedItems="180865"
infectedItems="6"
suspiciousItems="0"
resolvedItems="5"
scannedArchives="15"
bootSectorCount="3"
scannedDirectories="9377"
inputOutputErrors="28"
virusesNumber="6"
scanTime="00:00:47:06"
filesPerSecond="63"
>
<FileSummary
scanned="180437"
archives="15"
packed="2611"
infected="6"
suspicious="0"
resolved="5"
deleted="6"
moved="0"
copied="0"
/>
<RegistryKeySummary
scanned="379"
infected="0"
suspicious="0"
/>
<CookieSummary
scanned="0"
infected="0"
suspicious="0"
/>
<ProcessSummary
scanned="49"
infected="0"
suspicious="0"
/>
<MailSummary
scanned="0"
infected="0"
suspicious="0"
/>
</ScanSummary>
<ScanDetails>
<AffectedItem itemType ="File" path="C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IVQ34BCD\laix[1].exe" threatType="virus" threatName="Dropped:Trojan.Pandex.AA" action="delete" finalStatus= "clean" error= "deleted"/>
<AffectedItem itemType ="File" path="C:\WINDOWS\SYSTEM32\socksys.dll" threatType="virus" threatName="Trojan.Adclicker.GY" action="disinfect" finalStatus= "clean" error= "deleted"/>
<AffectedItem itemType ="File" path="C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\08510C88.tmp=](Quarantine-2)" threatType="virus" threatName="Trojan.Downloader.Bai.DAM" action="disinfect" finalStatus= "clean" error= "deleted"/>
<AffectedItem itemType ="File" path="C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1157\A0117058.exe" threatType="virus" threatName="Trojan.Pandex.AA" action="delete" finalStatus= "clean" error= "deleted"/>
<AffectedItem itemType ="File" path="[System]=]C:\WINDOWS\system32\rxjddnvj.exe (disk)" threatType="virus" threatName="Trojan.VB.NMF" action="disinfect" finalStatus= "infected" error= "no action possible"/>
<AffectedItem itemType ="File" path="C:\WINDOWS\SYSTEM32\rxjddnvj.exe" threatType="virus" threatName="Trojan.VB.NMF" action="delete" finalStatus= "clean" error= "deleted"/>
</ScanDetails>
</ScanSession>

Attached Files



#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 06 February 2008 - 05:20 PM

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 melissagordon

melissagordon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 07 February 2008 - 02:54 PM

I ran the Hijackthis log again and used that tool to fix files that I knew were not legit. I also slipped into the registry and got rid of a couple of files that I new were not suppose to be there.

This has seemed to fix the problem.

Thank you for all your help.

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 08 February 2008 - 04:37 PM

I don't recommend fixing things yourself with HijackThis, but if you'd like to post the logs I'll take a look at them to make sure you are clean. With malware nowadays, the infected items often bring lots of "friends" along with them which can infect you again in the future without your knowledge.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users