Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c. & Its Friends


  • Please log in to reply
1 reply to this topic

#1 Oxycodone

Oxycodone

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:46 AM

Posted 24 August 2008 - 09:29 AM

So, having quite a few problems. Namely, when I start my computer, I get a command prompt looking black window, and an error saying something about C:\Windows\SYSTEM\command.com, like it's missing or a something is screwed up. If I click 'OK', the error and prompt will just keep reappearing, and explorer will not start, unless I put in New Task and type explorer.exe myself. I have been noticing a lot of strange processes running, like ms-F5.exe, ms-10.exe, etc. Also, neos.exe, amongst others.

So anyway, without further adieu, I bring you my wonderful malware ridden HJT logfile, enjoy!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:27 AM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B1D3576A-CA42-4D09-83C1-15D563C19D71} - C:\AntivirAsistant\1.dll
O2 - BHO: BhoApp Class - {F985D38B-61DE-3FCC-5872-1225C5BCB432} - C:\Program Files\altcmd\altcmd32.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Service] C:\WINDOWS\system32\smsx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [lphc1s9j0ea5p] C:\WINDOWS\system32\lphc1s9j0ea5p.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingC6231] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\icons2.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1200] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\progress.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9888] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\progress.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8766] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\sales_buttons.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2018] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\sales_buttons.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2776] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\s_icons_buttons.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9365] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\s_icons_buttons.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8194] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\t2_bg.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5713] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\tsd_bg.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4487] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\tsd_bg.res"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9161] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_Mails.mnu"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9856] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\tsd_bg.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8318] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_hotbarcom.mnu"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6073] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_hotbarcom.mnu"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8787] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\buttondir.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9501] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\buttondir.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8183] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\linkpathlegal.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2679] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\linkpathlegal.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA880] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\ads.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7842] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\ads.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5917] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\BtnTrans.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3234] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\BtnTrans.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3789] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\BtnTrans1.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4183] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\BtnTrans1.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6413] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\business_promo.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5762] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\business_promo.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3084] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\buttondir.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7694] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\buttondir.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1466] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\default.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3869] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\default.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3209] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_1000.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC129] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_1000.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5596] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_2000.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4436] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_2000.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2075] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_3000.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7598] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_3000.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8407] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_bar.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9235] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_bar.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5987] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_bbar1.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8266] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_bbar1.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1759] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_logos.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4390] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_logos.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4217] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_other.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3955] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_other.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1705] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_weather.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8262] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_weather.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2211] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\email-t1-bg.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5430] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\email-t1-bg.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6589] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hotbar-premium.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2155] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hotbar-premium.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7721] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hotbar_promo.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC584] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hotbar_promo.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5245] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\icons2.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC242] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\icons2.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9078] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\keywords.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4468] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\keywords.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3179] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\keywords1.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC493] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\keywords1.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9635] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\layout.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8388] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\layout.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6286] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\linkpathlegal.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4265] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\linkpathlegal.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3264] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\progress.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3533] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\progress.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1517] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\sales_buttons.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3044] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\sales_buttons.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2896] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\samplegroups2.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7819] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\samplegroups2.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8726] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\s_icons_buttons.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3361] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\t2_bg.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6116] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\t2_bg.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6187] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\top7.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7403] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\top7.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2707] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\tsd_bg.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8365] command /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\samplegroups2.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC845] cmd /c del "C:\Documents and Settings\Joe Dowd\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\samplegroups2.txt"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\RunOnce: [VZG1] C:\WINDOWS\system32\cmd.exe /C del C:\WINDOWS\System32\VZGUNI~1.DLL
O4 - HKLM\..\RunOnce: [VZG2] C:\WINDOWS\system32\cmd.exe /C del C:\WINDOWS\System32\VERIZO~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\James\xrt_idcf.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [CDriver] c:\google.com\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [DDriver] c:\google.com\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [alpha] c:\google.com\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [beta] c:\google.com\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [gamma] c:\google.com\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [DriverLoad] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DriverCheck] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SystemDriverLoad] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SystemDriver] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [FDriver] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ADriver] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CDriver] c:\google.com\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DDriver] c:\google.com\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [alpha] c:\google.com\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [beta] c:\google.com\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [gamma] c:\google.com\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [neos] C:\WINDOWS\neos.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DriverLoad] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.comfortsite.com/ebiz/applicatio...trix/ica32t.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - https://www.comfortsite.com/EBiz/Applicatio...SApps/msrdp.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} - http://picturecenter.kodak.com/activex/Lig...loadControl.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\James\LOCALS~1\Temp\dnlsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

--
End of file - 22642 bytes

Thanks in advance,
James

Edited by Oxycodone, 24 August 2008 - 09:30 AM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:46 AM

Posted 24 August 2008 - 11:57 AM

Hello Oxycodone

Welcome to BleepingComputer :thumbsup:
========================
You have no antivirus installed so Download ONE of these anti-virus programs and install it.
These are free.
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
or
Antivir
=============================
Then :
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum
=============
AFter that Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Edited by kahdah, 24 August 2008 - 11:57 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users