Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Problems - My Computer Is Very Sick


  • This topic is locked This topic is locked
6 replies to this topic

#1 fritzos

fritzos

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 27 October 2005 - 05:32 PM

I've got problems with my computer. I run XP. I've been getting the "LSA Shell (Export Version) encountered a problem and needed to close" message with the ensueing shutdown dialog boxes. I downloaded McAffee's stinger, it found a virus and removed it. Now I keep getting the LSA Shell message, etc., and when I run stinger, it doesn't find any thing.

I'm also getting the "Message From System to Alert on mm/dd/yy" , telling me about registry problems and recommending I go to sites to download a registry fixer. I've always closed these dialog boxes without clicking the "goto" button.

My anti-virus program (eTrust ezAntivirus, from Computer Associates International, Inc.) keeps finding multiple copies of (and deleting, it says) the 2 viruses, "Win32.SillyDI.UJ" and "Win32.Secdrop.IY". This happens whenever I connect to the internet.

It also appears that my computer is uploading a lot of data almost continually. Please help.

Thanks in advance:



Here is my HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 4:55:12 PM, on 10/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\WINNT\SYSTEM32\3cshtdwn.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\WINNT\System32\msconfigx32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\taskmgr.exe
E:\HijackThis\HijackThis.exe
C:\WINNT\SYSTEM32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voyager.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voyager.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [Internet Services Drivers] iexplores.exe
O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [Internet Services Drivers] iexplores.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Internet Services Drivers] iexplores.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\RunServices: [Internet Services Drivers] iexplores.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O13 - WWW. Prefix: http://
O16 - DPF: Microsoft WFC Forms Designer - file://F:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://F:\VJ98\vstudio6.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Ext2FsMounter - Unknown owner - C:\WINNT\system32\Ext2Mounter.exe
O23 - Service: Printer Status Server (hpzstatn) - Unknown owner - C:\WINNT\System32\spool\drivers\w32x86\hpzstatn.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Please help.

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:05 AM

Posted 01 November 2005 - 01:51 PM

Hello fritzos and welcome to BleepingComputer.


You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Download Noahdfear's smitRem.exe© and save the file to your desktop.
- Double click on the file to extract it to it's own folder on the desktop.

Download and install the trial version of Ewido Security Suite.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch Ewido, there should be an icon on your desktop double-click it.
- The program will now go to the main screen.
- On the left hand side of the main screen click update.
- Click on Start.
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido.

Download Lavasoft's Ad-aware SE and update it (the Globe icon, then Connect).
- Don't run it yet.

Reboot into Safe Mode.
The easiest way is by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.


Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s

F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe

O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL

O4 - HKLM\..\Run: [Internet Services Drivers] iexplores.exe
O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [Internet Services Drivers] iexplores.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [Internet Services Drivers] iexplores.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\RunServices: [Internet Services Drivers] iexplores.exe

O13 - WWW. Prefix: http://

Close HiJackThis.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINNT\System32\iexplores.exe <--Files
C:\WINNT\System32\msconfigx32.exe

C:\PROGRA~1\VIRTUALMaid\ <--folder


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido Security Suite:
- Click on scanner.
- Click on Complete System Scan and the scan will begin.
- You will be prompted to clean the first infection.
- Select "Perform action on all infections", then proceed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
- Click Save report.
- Save the report to your desktop.


Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.


Reboot normally, open Internet Explorer and go to Panda's online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply. Let us know if any problems persist.
Derfram
~~~~~~

#3 fritzos

fritzos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 01 November 2005 - 09:01 PM

Hello ddeerrff. Thank you so much for helping me with these problems. After doing everything you said, my computer is running much better, but I still get the "Message From System to Alert" dialog (2 times while doing the Panda scan, and once right now), and I got the "LSA Shell (Export Version) encountered a problem and needed to close" dialog once with the shutdown dialog. I stopped the shutdown and finished the Panda scan.

Thank you once again.

The logs are as follows:



From Panda Activescan:


Incident Status Location

Adware:adware/popuper No disinfected C:\Online Pharmacy.url
Adware:adware/searchaid No disinfected
:\WINNT\dict.dat
Dialer:Dialer.AZH No disinfected C:\WINNT\SYSTEM32\AWM226.exe
Virus:W32/Sdbot.EWY.worm Disinfected C:\WINNT\SYSTEM32\TFTP2536
Dialer:Dialer.XH No disinfected E:\RECYCLER\S-1-5-21-924867326-1508855032-1773304566-500\DE1121.EXE
Dialer:Dialer.XH No disinfected E:\RECYCLER\S-1-5-21-924867326-1508855032-1773304566-500\DE1122.EXE



New HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:43:47 PM, on 11/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\Explorer.EXE
E:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINNT\SYSTEM32\3cshtdwn.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voyager.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voyager.net
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O16 - DPF: Microsoft WFC Forms Designer - file://F:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://F:\VJ98\vstudio6.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{35CBA89A-3822-4812-BF21-2F57BC57F1FB}: NameServer = 209.153.128.4 169.207.1.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Ext2FsMounter - Unknown owner - C:\WINNT\system32\Ext2Mounter.exe
O23 - Service: Printer Status Server (hpzstatn) - Unknown owner - C:\WINNT\System32\spool\drivers\w32x86\hpzstatn.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe




smitfiles.txt:


smitRem © log file
version 2.7

by noahdfear

The current date is: 11/01/2005
The current time is: 16:28:43.08

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

adult
cars
sexual life
shopping
anti spam.url
job search.url
poker.url
spyware removal.url
Online Gambling.url
online dating.url
Black Jack Online.url
Online Pharmacy\Adipex.url
Black Jack Online.url
Home Loan.url
Network Security.url
Online Dating.url
Online Pharmacy.url
Online Gambling folder
Online Pharmacy folder


~~~ system32 folder ~~~

perfcii.ini
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:08:57 PM, 11/01/2005
+ Report-Checksum: E7C96894

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{8B0B6F79-C50D-4ea6-8F65-BDF18005DE20}\TypeLib\\ -> Spyware.2020Search : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CC1C919-AE8B-4373-A5B4-28BA1851E39A}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{354A1552-9A59-417E-87CB-0D040A85B4D6} -> Spyware.CoolWebSearch : Cleaned with backup
C:\avatarz.exe -> Trojan.LowZones.cf : Cleaned with backup
C:\I386\SYSTRAY.EXE/systray.exe -> TrojanDropper.Paradrop.a : Cleaned with backup
C:\Program Files\U.S. Robotics\ControlCenter\ctrlcntr.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe -> Heuristic.Win32.Dialer : Cleaned with backup
:mozilla.6:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.7:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.10:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.17:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.18:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.27:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.29:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.30:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.31:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.39:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.40:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.41:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.42:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.43:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.44:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.45:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.46:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.47:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.48:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.49:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.50:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.51:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.52:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.58:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.63:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.64:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.65:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.66:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.68:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.76:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.77:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.78:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.79:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.80:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.81:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.82:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.91:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.94:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.95:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.97:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.99:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.100:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.101:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.102:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.103:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.106:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.107:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.109:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.110:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.111:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.112:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.113:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.114:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.115:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.116:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.117:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.118:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.119:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.120:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.121:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.122:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.123:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.124:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.125:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.126:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.127:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.128:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.129:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.130:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.131:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.132:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.151:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.152:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.153:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.156:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.157:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.159:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.171:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.172:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.173:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.178:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.179:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.184:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.185:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.186:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.187:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.188:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.189:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.190:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.191:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.192:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.198:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.209:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.211:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.219:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.226:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.227:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.228:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.229:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.230:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.231:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.232:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.233:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.238:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.239:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.240:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.241:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.242:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.245:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.246:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.248:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.249:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.252:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.253:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.254:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.255:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.256:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.257:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.258:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.259:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.263:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.269:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.270:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.271:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.273:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.274:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.276:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.277:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.278:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.283:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.286:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.287:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.289:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.290:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.291:C:\WINNT\Profiles\FAK\Application Data\Mozilla\Profiles\fkeller\krktukes.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup


::Report End

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:05 AM

Posted 02 November 2005 - 12:18 AM

Open Windows Explorer (Windows key+e), navigate to and delete the following files:

C:\Online Pharmacy.url
C:\WINNT\dict.dat
C:\WINNT\SYSTEM32\AWM226.exe

If any of these resist being deleted, boot into Safe Mode and try from there.


Looks like Ewido false positive'd a couple of files from your US Robotics Control Center. Please run Ewido Security Suite and open the 'Quarantine' section. Select and restore the following:

C:\Program Files\U.S. Robotics\ControlCenter\ctrlcntr.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe



My research on "Message From System to Alert" would indicate it may be a message coming in via 'Messenger Service'. Unless you are in a corporate environment and your system administator actually uses it, disabling Messenger Service is a good idea.

Click on Start -> Run, type in services.msc and click 'OK'
Locate "Messenger Service" in the list and double click on it.
Change "Startup type" to Disabled and click "Apply".
Click on "Stop", then OK.
Exit the Services panel.



"LSA Shell (Export Version) encountered a problem and needed to close" sure sounds like the Sasser worm. Panda should have found that, but let's try the removal tool anyway:

Download McAfee Avert Stinger from http://vil.nai.com/vil/stinger/.
- Follow the instructions on that page to run Stinger.


After running Stinger, please go to Windows Update. Decline SP2 but install all other available High Priority updates.


Let me know if this solves the problem or if we need to look further.
Derfram
~~~~~~

#5 fritzos

fritzos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 04 November 2005 - 08:00 PM

Hello ddeerrff.

Sorry it took so long to get back. It took forever to get all the updates from Microsoft and get them installed. It took me 3 frustrating days, what with my computer locking up, downloads failing, getting rebooted, etc. I had no idea I had been so negligent about updating; there were 33 critical updates I needed to make. After it was all installed, I went through the steps you listed in your first response. There were a few hits, mostly spyware, but not too much. I've been using my puter for several hours now and no more LSA Shell messages and crap.

Thank you tons and tons for all your help. You're da Man. :thumbsup: :flowers:

I am including one last HJT log, but so far everything seems cool.


Latest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 6:51:27 PM, on 11/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\WINNT\SYSTEM32\3cshtdwn.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINNT\System32\wuauclt.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voyager.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voyager.net
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O16 - DPF: Microsoft WFC Forms Designer - file://F:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://F:\VJ98\vstudio6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130920249831
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{35CBA89A-3822-4812-BF21-2F57BC57F1FB}: NameServer = 209.153.128.4 169.207.1.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Ext2FsMounter - Unknown owner - C:\WINNT\system32\Ext2Mounter.exe
O23 - Service: Printer Status Server (hpzstatn) - Unknown owner - C:\WINNT\System32\spool\drivers\w32x86\hpzstatn.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:05 AM

Posted 04 November 2005 - 08:53 PM

Log looks clean...great job!


Keep HijackThis along with it's backup folder for a bit just in case there arises a need for the backup files it has created. Any other tools we downloaded or files we created can be uninstalled or deleted. If we have enabled viewing of Hidden and System files, go back and re-hide these files.

If this is a Windows XP system: After you have used your machine a while, and are confident that all is well, we can do a little final cleanup.

Purge Restore points:

XP System Restore periodically creates a partial system backup. It is quite likely that some of the now removed malware has been 'backed up' in those files.

Start->Control Panel->System, System Restore.
Check "Turn off System Restore".
Immediately reboot (all your restore points will be deleted by this).
Then Start->Control Panel->System, System Restore again.
UnCheck "Turn off System Restore" and create a new clean restore point..

Run Disk Cleanup

Click on the Start button and then on Run. Type in cleanmgr then click on OK. Be sure the (C:) drive is selected and click OK. It may take a bit for "Compress old files" to complete. Check all the boxes and click on OK, then OK again.


Now that you are clean, please follow these steps in order to keep your computer safe and secure:

How did I get infected?, With steps so it does not happen again!
Simple and easy ways to keep your computer safe and secure on the Internet


*** Clean log install SP2 **
We highly recommend installing SP2. Click here: http://windowsupdate.microsoft.com/.
-or-
It's a very large download, so if you're on dial-up or just prefer a hard copy, order a free CD here:
http://www.microsoft.com/windowsxp/downloa...default810.mspx


Glad we were able to be of help.
Derfram
~~~~~~

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:05 AM

Posted 14 November 2005 - 04:46 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users