Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.win32.startpage.adh, Trojandownloader.win32.zlob.ci, Trojandownloader.win32.zlob.mo, Spywarequake 2.0, Search Assistant, &bridge


  • Please log in to reply
10 replies to this topic

#1 gnome86

gnome86

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 13 July 2006 - 09:15 PM

a friend of mine isnt that computer oriented and was on my computer and clicked on everything that popped up pretty much. ever since then my homepage has been coming up as blank and have been getting a little bubble at the bottom of my screen saying that i have spyware on my pc along with a numerous amount of pop ups (which i never got before, at all) and i did the scans described in my description and still no luck removing them. never had this kind of problem before at least of this im a very big noob when it comes to this so bear with me thanks in advance for any tips or ideas!!!!!!


Logfile of HijackThis v1.99.1
Scan saved at 8:49:22 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: C:\WINDOWS\lbbho.dll - {240F379D-9DEF-4E33-A714-B27E13E4D80C} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [System Toolkit] C:\My Downloads\Norton Anti-Virus 2004 Reg-Code Generator (WORKING!!) (1).exe
O4 - HKLM\..\Run: [ommdlgc] C:\WINDOWS\System32\ommdlgc.exe
O4 - HKLM\..\Run: [tcpvss] C:\WINDOWS\inf\tcpvss.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [System Kernal Support] system.exe
O4 - HKLM\..\Run: [eudowz] c:\windows\system32\qunnwn.exe
O4 - HKLM\..\Run: [workflo] E:\install\workflow.exe
O4 - HKLM\..\Run: [workflow] E:\install\workflow.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [System Kernal Support] system.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [System Kernal Support] system.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0\bin\npjpi140_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0\bin\npjpi140_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.pcflashbang.com/banner_04/inst.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: (ISEXEng) - Unknown owner - C:\WINDOWS\system32\angelex.exe (file missing)
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 PM

Posted 14 July 2006 - 05:52 AM

Hello Gnome86,

Welcome to BC. :thumbsup:

I am sorry to be the bearer of bad news, but you have several infections, the most important of which is a worm, SDBOT.BWV, with backdoor and keylogging capabilities, evidenced by these entries :flowers: :

O4 - HKLM\..\Run: [System Kernal Support] system.exe
O4 - HKLM\..\RunServices: [System Kernal Support] system.exe
O4 - HKCU\..\Run: [System Kernal Support] system.exe

I would recommend you to disconnect this PC from the Internet immediately. If this computer is used for any sensitive transaction like banking or other financial transactions or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would also be wise to contact those same institutions to alert them to the possibility of identity theft.

Though it is identified and can be killed, because of it's backdoor functionality, it is very likely that your computer is compromised and there is no way to be sure that it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Here are some informative links to help you decide:

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

http://www.eweek.com/article2/0,1895,1945808,00.asp

If you still wish to attempt to clean it, please let me know and I'll be happy to help you.

#3 gnome86

gnome86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 14 July 2006 - 09:12 AM

thank u very much amatuer. luckily i dont do an transactions on this computer so i think im ok for the most part . if its ok with u and u are willing i would like to try and fix this problem. im not sure i quite understood that part about the os. but thanks again mate and appreciate the help ALOT!

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 PM

Posted 14 July 2006 - 09:19 AM

OK. I'll get busy and prepare a fix for you. I'll be back soon. Just remember to keep this computer disconnected from the internet until it's "clean"., other than downloading the programs needed for the process.

Edited by amateur, 14 July 2006 - 09:24 AM.


#5 gnome86

gnome86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 14 July 2006 - 10:03 AM

thank again!!!! :thumbsup:

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 PM

Posted 14 July 2006 - 11:02 AM

Hi,
First of all, HijackThis needs to be placed in a folder of its own to function properly. Please click on an empty space on your Desktop and go New>Folder to create a new folder. Name it HijackThis and place HijackThis.exe in this folder by dragging and dropping.


============================================
Click Start>Run type in appwiz.cpl and hit enter. From the list uninstall:

System Soap Pro

============================================

Please print these instructions or save them in notepad, because you'll need them later in safe mode (without networking support), when this page wouldn't be available. Read the instructions very carefully and follow them in the exact order they are presented, without missing any.


============================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

============================================
Download and install Ewido Antimalware 4.0 .
  • Open Ewido AntiMalware
  • Go to Status menu
  • Click change status on Resident shield to inactive Under "Your computers Security"
Check for updates but Do not scan with it yet.
============================================

Please download Ccleaner and save it to your desktop.

Tutorial for CCleaner

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

===============================================

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop. Here is a link to see how, if you don't know.
Don't use it yet.

This tool is Only for Windows XP and Windows 2000

============================================

Backup your Registry...
Click Start>Run. Type Regedit and press Enter. The registry editor opens.
On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup somewhere you'll remember, but not on Desktop.
  • Copy the contents (starting with REGEDIT4) of the Quote Box below to Notepad. Must be notepad, not wordpad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"system.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"system.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"system.exe"=-


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

==========================================================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for more information.

=============================================

Open HijackThis, click on Scan and put a check in front of the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
O2 - BHO: C:\WINDOWS\lbbho.dll - {240F379D-9DEF-4E33-A714-B27E13E4D80C} - blank (file missing)
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [System Toolkit] C:\My Downloads\Norton Anti-Virus 2004 Reg-Code Generator (WORKING!!) (1).exe
O4 - HKLM\..\Run: [ommdlgc] C:\WINDOWS\System32\ommdlgc.exe
O4 - HKLM\..\Run: [tcpvss] C:\WINDOWS\inf\tcpvss.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [System Kernal Support] system.exe
O4 - HKLM\..\Run: [eudowz] c:\windows\system32\qunnwn.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [System Kernal Support] system.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [System Kernal Support] system.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.pcflashbang.com/banner_04/inst.exe
O23 - Service: (ISEXEng) - Unknown owner - C:\WINDOWS\system32\angelex.exe (file missing)

Close all browsers and windows, except HijackThis and click on fix checked. Exit HijackThis but stay in Safe Mode.

============================================

Then, in safe mode double-click on the fix.reg file, and when it prompts to merge say yes.

============================================

In Safe Mode,

use Start > Run. Copy/Paste or type the text in bold:

1) sc stop ISEXEng and then click OK
2) sc delete ISEXEng and then click OK

============================================

In Safe Mode, using Windows Explorer (right click on Start, click on Explore), navigate and locate the following files and folders and delete them, if present:

C:\WINDOWS\System32\bridge.dll
C:\My Downloads\Norton Anti-Virus 2004 Reg-Code Generator (WORKING!!) (1).exe
C:\WINDOWS\System32\ommdlgc.exe
C:\WINDOWS\inf\tcpvss.exe
C:\WINDOWS\system32\angelex.exe
c:\windows\system32\qunnwn.exe

C:\Program Files\System Soap Pro

============================================

In Safe Mode open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.

Posted Image

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

Posted Image

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. I'll need you to post that log later.

A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually, booting in Safe Mode
Warning : running option #2 on a non infected computer will remove your Desktop background.

=================================

From Safe Mode run Ccleaner
Click on Options, Select Advanced Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
Make sure the Cleaner block on the left is selected. (Do not use the "Issues" block) Choose the Windows tab.
Check everything EXCEPT Advanced part of the Menu. Click on "Analyze". This process could take a while.
If you don't want to loose your login passwords to certain sites, click on Options, select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.

If you have more than one users, run Ccleaner for every user.

======================

From Safe Mode Run Ewido AntiMalware
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
  • When the scan is complete click Recommended Action and change it to Quarantine
  • Then click Apply all actions
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop
NOTE: Ewido scan may need an hour.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel

========================================

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

=================================

Reboot in Normal Mode.

=================================

Run Ccleaner again prior to running Sysclean.

=================================
  • Please create a folder on your desktop called Sysclean.
  • Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
  • Go to http://www.trendmicro.com/download/pattern.asp and download the Official Pattern Release for windows to your desktop.
  • This file will be called lptXXX.zip (XXX represents the version number)
  • Unzip lptXXX.zip and you'll get a file lpt$vpn.XXX.
  • Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.
  • Turn off/disable temporarily your antivirus which is installed on your system because it can interfere with the Sysclean-scan.
  • Reboot in Safe Mode.
  • Open the sysclean-folder and double-click sysclean.com.
  • Check: "Automatically clean or delete detected files."
  • Click "Scan".
  • When the scan is finished, select: "View log".
  • Copy and paste this log in your next reply. (or you can copy/paste it to a notepad and save it to post later)
=================================

Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 7 .
You are running an old vulnerable version of Java.
  • Go to Start > Control Panel > Add/Remove Programs.
  • Search for all previous installed versions of Java. (J2SE Runtime Environment.... ) and delete them.
  • It/they should have this icon next to it/them: Posted Image
  • Then download and install the newest version. 1.5.07 from here.
=================================

Reboot one more time. Scan with HijackThis. Save the log.

=================================

Please post back:

Smitfraud log
Ewido log
log from sysclean
the fresh HijackThis log

Edited by amateur, 14 July 2006 - 11:28 AM.


#7 gnome86

gnome86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 14 July 2006 - 11:38 AM

thank u very much im working on it right now but i couldnt seem to find SYSTEM SOAP PRO any were on my pc
even when i did the start>Run type in appwiz.cpl?? will this affect my "cleaning"?

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 PM

Posted 14 July 2006 - 11:46 AM

No, it won't. Carry on with the rest.

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 PM

Posted 16 July 2006 - 06:54 AM

Hi gname86,

How is it going? I will be leaving on Thursday on a trip/holiday for a few weeks and I am not sure if I'll be able to have access to internet easily. I wouldn't like you have to wait while I am gone. So, let's try to finish up as soon as possible. I am waiting for the results of the scans. Thanks.

#10 gnome86

gnome86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 19 July 2006 - 03:36 AM

ok hopefully i did this all correct i was out of town for a few days so sorry for the delay but heres the logs

Smitfraud log

SmitFraudFix v2.70

Scan done at 21:46:57.35, Tue 07/18/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"

[HKEY_CLASSES_ROOT\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]
@="blank"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]
@="blank"


Killing process



ewido log


+ Scan result:



C:\Documents and Settings\Owner\Desktop\Setup.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\seekmo.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\1802CA.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3H6684P8\Setup[1].exe -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Adware.180S
[/u]olutions : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall5_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1 -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CLSID -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CurVer -> Adware.Zango : Cleaned with backup (quarantined).
C:\WINDOWS\system32\actskn45.ocx -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\x.cab/VMInstaller.exe -> Downloader.Small.ok : Cleaned with backup (quarantined).
C:\x.cab/VM.exe -> Hijacker.Small.dl : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF.tmp\ld5557.tmp -> Not-A-Virus.Hoax.Win32.Renos.dv : Ignored.
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2D.tmp\sepng.dll -> Not-A-Virus.PSWTool.Win32.EZula.bf : Ignored.
:mozilla.208:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.209:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.223:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.224:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.225:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.226:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.227:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.194:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.195:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.196:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.197:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.198:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.199:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.200:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.138:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.140:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.105:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.106:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.108:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.240:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.241:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.207:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.130:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.131:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.132:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.133:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.134:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.135:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.136:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.137:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.91:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.116:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o7nupp2m.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

SYSCLEAN
[u][size=1]

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2006-07-16, 21:15:47, Auto-clean mode specified.
2006-07-16, 21:15:47, Running scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\TSC.BIN"...
2006-07-16, 21:17:21, Scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\TSC.BIN" has finished running.
2006-07-16, 21:17:21, TSC Log:

2006-07-16, 21:34:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2006-07-16, 21:34:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2006-07-16, 21:34:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-07-16, 21:34:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-07-16, 21:34:38, An error occurred while scanning file "C:\Documents and Settings\Owner\NTUSER.DAT": Access is denied.
2006-07-16, 21:34:38, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat.LOG": Access is denied.
2006-07-16, 21:36:53, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-07-16, 21:36:53, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-07-16, 23:39:26, Operation was aborted.


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2006-07-17, 02:51:23, Auto-clean mode specified.
2006-07-17, 02:51:23, Running scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\TSC.BIN"...
2006-07-17, 02:51:46, Scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\TSC.BIN" has finished running.
2006-07-17, 02:51:46, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Jul 17 2006 02:51:23

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Owner\Desktop\Sysclean\tsc.ptn" (version 758) [success]

Complete time : Mon Jul 17 2006 02:51:46
Execute pattern count(2883), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-07-17, 03:28:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2006-07-17, 03:28:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2006-07-17, 03:28:14, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-07-17, 03:28:14, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-07-17, 03:28:15, An error occurred while scanning file "C:\Documents and Settings\Owner\NTUSER.DAT": Access is denied.
2006-07-17, 03:28:15, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat.LOG": Access is denied.
2006-07-17, 03:33:56, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-07-17, 03:33:56, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-07-17, 03:34:41, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_418.dat": Access is denied.
2006-07-17, 09:54:50, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\ACRORD32.EXE-15A396A1.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\ACTIVATION.EXE-1E1C168C.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\AIM.EXE-064777BB.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\ALCXMNTR.EXE-30324980.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\AUSERINIT.EXE-28C2885F.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTHSPLASH.EXE-1C814CCF.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTHSTART.EXE-07CDE025.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\AU_.EXE-1C9CCC17.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\CLEANMGR.EXE-31B430FE.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\COLOREAL.EXE-2C1E8913.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\DCOMCFG.EXE-087DDCEA.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-2858C7E2.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-38C3807C.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\DRWTSN32.EXE-01DDCF15.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\DUMPREP.EXE-0AF2BF67.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\DVPMGR.EXE-378494C3.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-2C373FB7.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\EWIDO.EXE-0A84FA31.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX.EXE-06188867.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX.EXE-2A1B96AB.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\GLB1A2B.EXE-2AE44F1D.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\GORILL~1.SCR-2B2DD87D.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\GROAMER.EXE.TRANS-019150F0.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\HELPSVC.EXE-1C192440.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\HH.EXE-104606B2.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-1E7CC048.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\HKCMD.EXE-0F06AE14.pf": Access is denied.
2006-07-17, 10:13:09, Could not set file for reading on "C:\WINDOWS\Prefetch\HPSYSDRV.EXE-2AB39D03.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\HPZTSB10.EXE-0980E9BA.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\IPODSERVICE.EXE-37043579.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\ITUNES.EXE-14FD3AEE.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\ITUNESHELPER.EXE-0A1B0F2C.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\I_VIEW32.EXE-24361997.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\JAVA.EXE-095FB4DF.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\JAVAW.EXE-05A55921.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\JAVAW.EXE-2D38EF8E.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\LAUNCHER.EXE-16492439.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGON.SCR-24ADF392.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-312BE1BF.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\MMC.EXE-55643954.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\MONEY EXPRESS.EXE-01809D84.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-330626DC.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\NWIZ.EXE-2D374245.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\PATCHJRE.EXE-3776ACB8.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\PRISM.EXE-0825F939.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\QTTASK.EXE-1876A1A1.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\REALPLAY.EXE-05411014.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\REALSCHED.EXE-0948A6AF.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RECGUARD.EXE-16078673.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-44D2B0C6.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4532DDE6.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4620BF69.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-46B148F1.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-48691B0E.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-61254C57.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-64980858.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-6E8D4657.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\S3TRAY2.EXE-182DD1C4.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SEEKMO.EXE-06D84EF6.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SEEKMO.EXE-30B4AAFE.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SEEKMO~1.EXE-05DB7D0E.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-26858E40.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP[1].EXE-061C869B.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SLSK.EXE-350ABE54.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SNDVOL32.EXE-0EC6FD20.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN(2).COM-10DAC819.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN(3).COM-04F1EA63.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-2AD83BC3.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-0EAD1CE9.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-1BF2E037.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\TSL2C9.TMP-3A19DA47.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UNINS000.EXE-117EDF90.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UNINSTALL.EXE-06311A39.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UNPACK200.EXE-36D1F174.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UNREGAAW.EXE-29870057.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UNWISE.EXE-28BD7249.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-1ACCF805.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-1ACCF807.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-1ACCF80B.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WSCNTFY.EXE-0B14C27D.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WTLIB.EXE-0C55B7ED.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\XPINSTALL.EXE-24A3B1D2.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\ZIPPER.EXE-32463E9A.pf": Access is denied.
2006-07-17, 10:13:10, Could not set file for reading on "C:\WINDOWS\Prefetch\_IU14D2N.TMP-34626922.pf": Access is denied.
2006-07-17, 10:20:32, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2006-07-17, 10:20:32, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2006-07-17, 10:20:32, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2006-07-17, 10:20:32, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2006-07-17, 10:20:33, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2006-07-17, 10:20:33, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2006-07-17, 10:20:33, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2006-07-17, 10:20:33, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2006-07-17, 10:20:33, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2006-07-17, 10:20:33, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2006-07-17, 10:26:18, Could not set file for reading on "C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx": Access is denied.
2006-07-17, 10:28:28, Running scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN"...
2006-07-17, 11:56:43, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 7/17/2006 10:28:36
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 569 (119838 Patterns) (2006/07/13) (356900)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean

58402 files have been read.
58402 files have been checked.
52844 files have been scanned.
121186 files have been scanned. (including files in archived)
1 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/17/2006 11:56:43
---------*---------*---------*---------*---------*---------*---------*---------*
2006-07-17, 11:56:43, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 7/17/2006 10:28:36
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 569 (119838 Patterns) (2006/07/13) (356900)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean

Success Clean [ TROJ_SMALL.KU]( 1) from C:\x.cab,(VM.exe)
58402 files have been read.
58402 files have been checked.
52844 files have been scanned.
121186 files have been scanned. (including files in archived)
1 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/17/2006 11:56:43 1 hour 27 minutes 56 seconds (5275.58 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-07-17, 11:56:43, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 7/17/2006 10:28:36
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 569 (119838 Patterns) (2006/07/13) (356900)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean

58402 files have been read.
58402 files have been checked.
52844 files have been scanned.
121186 files have been scanned. (including files in archived)
1 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/17/2006 11:56:43 1 hour 27 minutes 56 seconds (5275.58 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-07-17, 11:56:43, Scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2006-07-17, 11:57:52, Running scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN"...
2006-07-17, 12:04:27, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 7/17/2006 11:57:53
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 569 (119838 Patterns) (2006/07/13) (356900)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean

9254 files have been read.
9254 files have been checked.
8594 files have been scanned.
14934 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/17/2006 12:04:27
---------*---------*---------*---------*---------*---------*---------*---------*
2006-07-17, 12:04:27, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 7/17/2006 11:57:53
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 569 (119838 Patterns) (2006/07/13) (356900)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean

9254 files have been read.
9254 files have been checked.
8594 files have been scanned.
14934 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/17/2006 12:04:27 6 minutes 23 seconds (383.45 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-07-17, 12:04:27, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 7/17/2006 11:57:53
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 569 (119838 Patterns) (2006/07/13) (356900)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean

9254 files have been read.
9254 files have been checked.
8594 files have been scanned.
14934 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/17/2006 12:04:27 6 minutes 23 seconds (383.45 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-07-17, 12:04:27, Scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN" has finished running.


and hijack this log[u][size=1]

Logfile of HijackThis v1.99.1
Scan saved at 3:33:33 AM, on 7/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [workflo] E:\install\workflow.exe
O4 - HKLM\..\Run: [workflow] E:\install\workflow.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


THANKS AGAIN!!

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 PM

Posted 19 July 2006 - 07:55 AM

Hi,

HiJackThis.exe is still not in its own folder. Please move HijackThis.exe into a folder of its own as described in my first post.

It's looking much much better. How is the computer running?

Smitfraud log seems to be cut off. Can you please post the complete log. You should be able to find it at C:rapport.txt. Please do not run the Option#2 again though.

================================================

The following entries indicate some restriction on the IE/Control Panel access rights. Unless that is intentional by an administrator or program like Spybot or StartPage Guard, maybe even Cox in your case, you can check those lines and Fix them in HJT, if you wish. If you have Spybot, open Spybot > Click on Mode (toolbar) and select Advanced, if it's not already selected > In left pane, click on Tools > IE Tweaks > In the right pane, please uncheck both Lock IE startpage and Lock IE control panel, if you find them checked > OK your way out, close Spybot & reboot. Make sure that Ewido Resident Shield is set to "inactive" prior to fixing them with HijackThis.

Scan with HT. If you find the below O6 options still listed, check each of them, click on FIX CHECKED, close HT & reboot. (All other browsers/windows must be closed)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


================================================

I would like to have you run Ewido again, this time in Normal Mode. Remember to update it prior to scanning.

================================================

Also another online scan would be good.

Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan. (use Internet Explorer)
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Once finished, click see report, then click Save report and save it to your desktop.
NOTE: Please ignore any entry it finds and the offer to buy the program to remove the entry.

Please post back a fresh HijackThis log, Ewido log and the Panda online scan results.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users