Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c


  • Please log in to reply
1 reply to this topic

#1 PaRaSiTiC

PaRaSiTiC

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 03 May 2008 - 12:41 AM

Before you read my log, I should explain a few things. I've stumbled upon this forum after trying several other solutions. When I figured out that I had Smitfraud-C, I searched and searched till I found out that I needed to get rid of a file called "privacy_danger". I used Unlocker to delete the file, and then re ran spybot to get rid of the Smitfraud-C. I thought my problems were solved, but I still get the pop ups that tell me to update my anti-spyware software. I think I've followed all of your instructions about posting a new topic, please correct me if I'm wrong.

Little Edit: This is my first post, and I'm not 100% sure that if this is the right section of the forum for this topic. If it isn't, please inform me via pm or simply reply here, and move the topic, or tell me if you wish me to repost in the correct section.

Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-05-03 00:32:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2008-05-03 05:32:11 UTC - RP27 - Deckard's System Scanner Restore Point
7: 2008-05-03 05:05:59 UTC - RP26 - Installed AVG Free 8.0
6: 2008-05-03 05:04:40 UTC - RP25 - Removed AVG Free 8.0
5: 2008-05-03 01:19:51 UTC - RP24 - Uniblue RegistryBooster
4: 2008-05-02 21:57:33 UTC - RP23 - Removed AdwareAlert


-- First Restore Point --
1: 2008-04-30 20:31:21 UTC - RP20 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-03 00:34:14
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\HijackThis\Compaq_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSV - {69F6C0AE-0C78-4999-B6D1-62932A265C5D} - C:\WINDOWS\onekek.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Stardock ObjectDock.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209095210921
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\system32\TuneUpDefragService.exe


--
End of file - 9549 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
S3 XDva136 - c:\windows\system32\xdva136.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 aswUpdSv (avast! iAVS4 Control Service) - "c:\program files\alwil software\avast4\aswupdsv.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-03 00:27:28 500 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-04-28 09:48:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-03 and 2008-05-03 -----------------------------

2008-05-02 23:32:50 0 d-------- C:\Program Files\Alwil Software
2008-05-02 23:27:44 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Desktopicon
2008-05-02 22:32:23 0 d-------- C:\WINDOWS\New Folder
2008-05-02 20:18:48 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Uniblue
2008-05-02 19:41:07 0 dr------- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Favorites
2008-05-02 19:41:07 0 d-------- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Desktop
2008-05-02 19:41:07 0 d---s---- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Cookies
2008-05-02 19:41:07 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Application Data
2008-05-02 19:41:07 0 d-------- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Application Data\Real
2008-05-02 19:41:07 0 d---s---- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Application Data\Microsoft
2008-05-02 19:41:07 0 d-------- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Application Data\Intuit
2008-05-02 19:41:07 0 d-------- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Application Data\Identities
2008-05-02 19:41:06 0 d-------- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\WINDOWS
2008-05-02 19:41:06 0 d--h----- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Templates
2008-05-02 19:41:06 0 dr------- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Start Menu
2008-05-02 19:41:06 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\SendTo
2008-05-02 19:41:06 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Recent
2008-05-02 19:41:06 0 d--h----- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\PrintHood
2008-05-02 19:41:06 0 d--h----- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\NetHood
2008-05-02 19:41:06 0 dr------- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\My Documents
2008-05-02 19:41:06 0 d--h----- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\Local Settings
2008-05-02 19:41:05 2097152 --ah----- C:\Documents and Settings\Administrator.YOUR-D0F670B45A\NTUSER.DAT
2008-05-02 19:34:29 0 d-------- C:\Documents and Settings\Compaq_Owner\.housecall6.6
2008-05-02 19:18:37 0 d------c- C:\4b92b53265820fcfe73a6ad5
2008-05-02 16:57:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-01 21:27:00 217600 --a------ C:\WINDOWS\onekek.dll
2008-05-01 21:26:54 52 --a----c- C:\smp.bat
2008-05-01 21:09:30 0 d-------- C:\Program Files\MetaStream
2008-04-27 20:05:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-27 20:05:43 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Azureus
2008-04-27 20:05:04 0 d-------- C:\Program Files\Azureus
2008-04-26 11:09:55 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Google
2008-04-26 10:42:59 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\WinRAR
2008-04-26 10:39:31 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-04-25 17:04:21 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Sun
2008-04-24 23:46:59 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-04-24 23:31:24 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-24 22:45:23 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Yahoo!
2008-04-24 22:45:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-24 22:43:06 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\HPQ
2008-04-24 16:22:02 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\TuneUp Software
2008-04-24 16:21:19 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-04-24 16:20:56 0 d--h---c- C:\$AVG8.VAULT$
2008-04-24 15:53:28 0 d---s---- C:\Documents and Settings\Compaq_Owner\UserData
2008-04-24 15:39:31 0 d-------- C:\Program Files\AVG
2008-04-24 15:39:30 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-24 15:38:42 0 d-------- C:\Program Files\Yahoo!
2008-04-24 15:36:15 0 d-------- C:\Documents and Settings\Compaq_Owner\Contacts
2008-04-24 15:33:48 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Adobe
2008-04-24 15:28:20 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Apple Computer
2008-04-24 15:27:59 0 d-------- C:\Program Files\Bonjour
2008-04-24 15:26:48 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-24 15:22:24 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Macromedia
2008-04-24 15:13:45 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-24 09:05:31 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\acccore
2008-04-24 03:40:16 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\MSNInstaller
2008-04-24 03:40:06 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2008-04-24 03:39:55 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Ventrilo
2008-04-24 03:33:14 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-04-24 03:22:35 0 dr-hs--c- C:\cmdcons
2008-04-24 03:22:18 0 dr-h----- C:\Documents and Settings\Compaq_Owner\Recent
2008-04-24 03:18:41 0 dr------- C:\Documents and Settings\Compaq_Owner\Favorites
2008-04-24 03:18:41 0 d-------- C:\Documents and Settings\Compaq_Owner\Desktop
2008-04-24 03:18:41 0 d---s---- C:\Documents and Settings\Compaq_Owner\Cookies
2008-04-24 03:18:41 0 d--h----- C:\Documents and Settings\Compaq_Owner\Application Data
2008-04-24 03:18:41 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Real
2008-04-24 03:18:41 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Intuit
2008-04-24 03:18:41 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Identities
2008-04-24 03:18:40 0 d-------- C:\Documents and Settings\Compaq_Owner\WINDOWS
2008-04-24 03:18:40 0 d--h----- C:\Documents and Settings\Compaq_Owner\Templates
2008-04-24 03:18:40 0 dr------- C:\Documents and Settings\Compaq_Owner\Start Menu
2008-04-24 03:18:40 0 dr-h----- C:\Documents and Settings\Compaq_Owner\SendTo
2008-04-24 03:18:40 0 d--h----- C:\Documents and Settings\Compaq_Owner\PrintHood
2008-04-24 03:18:40 0 d--h----- C:\Documents and Settings\Compaq_Owner\NetHood
2008-04-24 03:18:40 0 dr------- C:\Documents and Settings\Compaq_Owner\My Documents
2008-04-24 03:18:40 0 d--h----- C:\Documents and Settings\Compaq_Owner\Local Settings
2008-04-24 03:18:39 3670016 --a------ C:\Documents and Settings\Compaq_Owner\NTUSER.DAT
2008-04-24 01:53:13 0 dr-h---c- C:\MSOCache
2008-04-24 01:49:42 0 dr-hs---- C:\WINDOWS\system32\dllcache
2008-04-23 23:25:21 0 d-------- C:\Documents and Settings\Administrator.ANDREWSCOMP\Application Data\AVG7
2008-04-23 23:21:01 0 d-------- C:\Documents and Settings\Administrator.ANDREWSCOMP\Application Data\Intuit
2008-04-23 23:21:01 0 d-------- C:\Documents and Settings\Administrator.ANDREWSCOMP\Application Data\Identities
2008-04-23 23:21:00 0 d--h----- C:\Documents and Settings\Administrator.ANDREWSCOMP\Local Settings
2008-04-23 23:21:00 0 dr------- C:\Documents and Settings\Administrator.ANDREWSCOMP\Favorites
2008-04-23 23:21:00 0 d-------- C:\Documents and Settings\Administrator.ANDREWSCOMP\Desktop
2008-04-23 23:21:00 0 d---s---- C:\Documents and Settings\Administrator.ANDREWSCOMP\Cookies
2008-04-23 23:21:00 0 dr-h----- C:\Documents and Settings\Administrator.ANDREWSCOMP\Application Data
2008-04-23 23:21:00 0 d-------- C:\Documents and Settings\Administrator.ANDREWSCOMP\Application Data\Real
2008-04-23 23:21:00 0 d---s---- C:\Documents and Settings\Administrator.ANDREWSCOMP\Application Data\Microsoft
2008-04-23 23:20:59 0 d-------- C:\Documents and Settings\Administrator.ANDREWSCOMP\WINDOWS
2008-04-23 23:20:59 0 d--h----- C:\Documents and Settings\Administrator.ANDREWSCOMP\Templates
2008-04-23 23:20:59 0 dr------- C:\Documents and Settings\Administrator.ANDREWSCOMP\Start Menu
2008-04-23 23:20:59 0 dr-h----- C:\Documents and Settings\Administrator.ANDREWSCOMP\SendTo
2008-04-23 23:20:59 0 dr-h----- C:\Documents and Settings\Administrator.ANDREWSCOMP\Recent
2008-04-23 23:20:59 0 d--h----- C:\Documents and Settings\Administrator.ANDREWSCOMP\PrintHood
2008-04-23 23:20:59 0 d--h----- C:\Documents and Settings\Administrator.ANDREWSCOMP\NetHood
2008-04-23 23:20:59 0 dr------- C:\Documents and Settings\Administrator.ANDREWSCOMP\My Documents
2008-04-23 23:20:58 2097152 --ah----- C:\Documents and Settings\Administrator.ANDREWSCOMP\NTUSER.DAT
2008-04-23 21:26:43 0 d-------- C:\Program Files\VirusIsolator
2008-04-23 20:45:44 0 d-------- C:\Documents and Settings\All Users\Application Data\hcbcngrq
2008-04-22 19:27:26 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-04-21 18:56:05 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-04-09 21:04:15 0 d-------- C:\Program Files\Safari


-- Find3M Report ---------------------------------------------------------------

2008-05-02 18:36:44 0 d-------- C:\Program Files\Outerinfo
2008-04-25 16:50:04 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-24 23:55:48 0 d-------- C:\Program Files\MSN Messenger
2008-04-24 17:31:29 0 d-------- C:\Program Files\GameSpy Arcade
2008-04-24 16:20:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 15:38:18 0 d-------- C:\Program Files\Microsoft Games
2008-04-24 15:18:36 1926 --a----c- C:\WINDOWS\mozver.dat
2008-04-24 06:14:32 0 d-------- C:\Program Files\Common Files
2008-04-24 06:12:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-24 03:34:55 0 d-------- C:\Program Files\Quicken
2008-04-24 03:33:31 0 d-------- C:\Program Files\Symantec
2008-04-21 18:57:29 0 d-------- C:\Program Files\OneStepSearch
2008-04-09 23:15:41 0 d-------- C:\Program Files\Warcraft III
2008-04-09 21:01:20 0 d-------- C:\Program Files\iTunes
2008-04-09 21:01:10 0 d-------- C:\Program Files\iPod
2008-04-09 20:59:27 0 d-------- C:\Program Files\QuickTime
2008-04-07 19:03:28 0 d-------- C:\Program Files\TuneUp Utilities 2007
2008-03-03 23:38:52 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-12 23:01:41 23180 --a------ C:\WINDOWS\War3Unin.dat
2008-02-11 21:10:13 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-02-11 21:10:13 126976 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69F6C0AE-0C78-4999-B6D1-62932A265C5D}]
05/01/2008 09:26 PM 217600 --a------ C:\WINDOWS\onekek.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/23/2005 01:14 AM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [11/10/2005 02:29 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 09:11 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [05/01/2008 11:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 11:15 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:00 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2/8/2008 4:32:57 PM]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [1/24/2008 10:47:47 PM]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76abc120-9763-11da-b824-a5b3cc231ff3}]
AutoRun\command- ~tmp0.1st.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-03 00:35:11 ------------

Edited by PaRaSiTiC, 03 May 2008 - 12:58 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:51 AM

Posted 04 May 2008 - 09:37 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Delete this file.

C:\WINDOWS\onekek.dll


And delete this entire folder.

C:\Program Files\Outerinfo


Then reboot your computer and post a new DSS log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users