Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ps Forgot To Metion


  • Please log in to reply
8 replies to this topic

#1 ekih

ekih

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 13 August 2006 - 12:54 AM

Hi there
Having some problems with my laptop. Seems that I have infected my laptop with something when I was using Limewire. Limewire was restarting itself all the time. I have since uninstalled it but still have problems. Things like not being able to start taskmgr, regedit, command prompt etc. When trying to go to windows update page I am redirected. I have had a workaround on the taskmgr and have looked at the processes and have not seen anything using up the cpu usage.
I have gone through the "Preparation Guide for use before posting a HijackThis Log" I have done the best I could with it.
I am posting my Hijack log in hopes that I can get some help in what to do.
thanks
J
PS forgot to metion that I can't boot into safe mode.

Logfile of HijackThis v1.99.1
Scan saved at 9:31:40 PM, on 8/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\BMBB3B.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\OfficeScan NT\Pccntmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Siemens\Card API\bin\siecacst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Interwise\Student\pull.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\ZyAIR B-122 Utility\ZyAIR.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\lxbscoms.exe
C:\Documents and Settings\gossj.CA001\Desktop\Utilites\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.siemens.net/cgi-bin/iesearch.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.siemens.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Siemens Building Technologies, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://arnold.siemens.ca/scanproxy.pac
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ChangerBHO Class - {0D4C7057-EAD2-44C6-AD18-9092905F28F1} - C:\WINDOWS\system32\acctress.dll
O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: ContextualAds Class - {FE6C16C4-16AD-47B6-B250-26AD1829E49A} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKCU\..\Run: [CatUserRun] wscript.exe "C:\Program Files\CatPC\CatLogon\CatUserRun.vbe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Push Client.LNK = C:\Interwise\Student\pull.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: ZyAIR B-122 Utility.lnk = C:\Program Files\ZyAIR B-122 Utility\ZyAIR.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.siemens.ca
O15 - Trusted Zone: *.extremelearning.com
O15 - Trusted Zone: *.resources.hewitt.com
O15 - Trusted Zone: *.netglearning.com
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.sap-ag.de (HKLM)
O15 - Trusted Zone: *.sap.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155443131007
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...805/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca001.siemens.net
O17 - HKLM\Software\..\Telephony: DomainName = ca001.siemens.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ca001.siemens.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ca001.siemens.net
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CatSystem (CatSystemSvc) - Siemens AG - C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 PM

Posted 13 August 2006 - 06:32 PM

Please only post in THIS topic! The other ones are removed. Please use the Posted Image to reply. Thanks.

Download: DelDomains.inf
  • Locate DelDomains.inf
  • Right-click and select "Install"
Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot back into normal windows.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

Edited by didom, 13 August 2006 - 06:32 PM.


#3 ekih

ekih
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 14 August 2006 - 09:15 AM

Done didn't have any problems with doing what you askec.



Incident Status Location

Adware:adware/emediacodec Not disinfected c:\documents and settings\all users\desktop\Security Troubleshooting.url
Adware:adware/securityerror Not disinfected C:\Documents and Settings\gossj.CA001\Favorites\Antivirus Test Online.url
Adware:adware/spywarequake Not disinfected c:\windows\system32\1024\ld1470.tmp
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Program Files\OfficeScan NT\PSKILL.EXE
Virus:W32/Gaobot.MJA.worm Disinfected C:\WINDOWS\b.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Installer\13baaa.msi[unk_0040]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Installer\68bd78.msi[unk_0041]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Installer\a9cd873.msi[unk_0056]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\system32\cscripts\pskill.exe



Logfile of HijackThis v1.99.1
Scan saved at 7:09:37 AM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\TK739C.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\OfficeScan NT\Pccntmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Siemens\Card API\bin\siecacst.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Interwise\Student\pull.exe
C:\Program Files\ZyAIR B-122 Utility\ZyAIR.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\gossj.CA001\Desktop\Utilites\HijackThis.exe
C:\Documents and Settings\gossj.CA001\Desktop\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://search.siemens.net/cgi-bin/iesearch.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://intranet.siemens.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Siemens Building

Technologies, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =

http://arnold.siemens.ca/scanproxy.pac
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ChangerBHO Class - {0D4C7057-EAD2-44C6-AD18-9092905F28F1} -

C:\WINDOWS\system32\acctress.dll
O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: ContextualAds Class - {FE6C16C4-16AD-47B6-B250-26AD1829E49A} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe"

-HideWindow
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LXBSCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe"

/ShowTrayIcon
O4 - HKCU\..\Run: [CatUserRun] wscript.exe "C:\Program Files\CatPC\CatLogon\CatUserRun.vbe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN

Client\vpngui.exe
O4 - Global Startup: Push Client.LNK = C:\Interwise\Student\pull.exe
O4 - Global Startup: ZyAIR B-122 Utility.lnk = C:\Program Files\ZyAIR B-122

Utility\ZyAIR.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.siemens.ca
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat..._site.cab?11554

43131007
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program

Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program

Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/iss-loc/...805/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program

Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca001.siemens.net
O17 - HKLM\Software\..\Telephony: DomainName = ca001.siemens.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ca001.siemens.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ca001.siemens.net
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program

Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CatSystem (CatSystemSvc) - Siemens AG -

C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Siemens\CAT

Bulletin Board\CBBS.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program

Files\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program

Files\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program

Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program

Files\OfficeScan NT\tmlisten.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software -

C:\WINDOWS\System32\Vmover.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner -

C:\WINDOWS\System32\wltrysvc.exe

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 PM

Posted 14 August 2006 - 09:27 AM

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Don't use it yet.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are thef only things checked.
  • Press OK to remove them.
Stay in Safe Mode and open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process, you can close it - the file has already been saved.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
I need you to post a new log single spaced as it makes things easier to read:

To remove the double spacing in your log, please do the following:
  • Please go to Start >> Run... and type notepad.exe
  • Hit OK.
  • Now go to Format and uncheck WordWrap.
  • Close Notepad.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\rapport.txt ), along with a new HijackThis log and the contents of the ActiveScan report.

Warning : running option #2 on a non infected computer will remove your Desktop background.

#5 ekih

ekih
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 15 August 2006 - 01:00 AM

Activescan.txt

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\gossj.CA001\Cookies\gossj@atdmt[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\gossj.CA001\Desktop\New Folder\New Folder\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\gossj.CA001\Desktop\New Folder\New Folder\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Program Files\OfficeScan NT\PSKILL.EXE
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Installer\13baaa.msi[unk_0040]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Installer\68bd78.msi[unk_0041]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Installer\a9cd873.msi[unk_0056]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\system32\cscripts\pskill.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe



Logfile of HijackThis v1.99.1
Scan saved at 10:49:30 PM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JJ8E98.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\OfficeScan NT\Pccntmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Siemens\Card API\bin\siecacst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Interwise\Student\pull.exe
C:\Program Files\ZyAIR B-122 Utility\ZyAIR.exe
C:\WINDOWS\system32\lxbscoms.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gossj.CA001\Desktop\Utilites\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Siemens Building Technologies, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://arnold.siemens.ca/scanproxy.pac
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKCU\..\Run: [CatUserRun] wscript.exe "C:\Program Files\CatPC\CatLogon\CatUserRun.vbe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Push Client.LNK = C:\Interwise\Student\pull.exe
O4 - Global Startup: ZyAIR B-122 Utility.lnk = C:\Program Files\ZyAIR B-122 Utility\ZyAIR.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.siemens.ca
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155443131007
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...805/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca001.siemens.net
O17 - HKLM\Software\..\Telephony: DomainName = ca001.siemens.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ca001.siemens.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ca001.siemens.net
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CatSystem (CatSystemSvc) - Siemens AG - C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



SmitFraudFix v2.81

Scan done at 7:51:52.65, Mon 08/14/2006
Run from C:\Documents and Settings\gossj.CA001\Desktop\New Folder\New Folder\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 PM

Posted 15 August 2006 - 06:12 AM

Please fix this item:

O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} - (no file)

Then reboot your computer and tell me how your computer is running..

#7 ekih

ekih
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 15 August 2006 - 09:47 AM

I don't understand what you want me to do?

I figured it out.
I will let you know.

Edited by ekih, 15 August 2006 - 12:30 PM.


#8 ekih

ekih
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 15 August 2006 - 06:29 PM

I have done what you said, after reboot I ran Adaware, Spybot and Panda in that order. Adaware picked up a couple of things, Spybot ran clean and I have pasted Panda's log. Should I do anything else in regards to Panda's log?
Everything seems as normal now.
Thank you much.
J


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\gossj.CA001\Desktop\New Folder\New folder\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\gossj.CA001\Desktop\New Folder\New Folder\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Program Files\OfficeScan NT\PSKILL.EXE
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Installer\13baaa.msi[unk_0040]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Installer\68bd78.msi[unk_0041]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Installer\a9cd873.msi[unk_0056]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\system32\cscripts\pskill.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

#9 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 PM

Posted 16 August 2006 - 05:16 PM

Now the files Panda has found are false postitives.

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

    Please post back if you are still having any problems....

    Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users