Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Your Computer Is In Danger! (bravesentry)


  • Please log in to reply
10 replies to this topic

#1 qknot

qknot

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 23 September 2006 - 10:57 PM

Hi, I have a virus on my XP laptop that causes a recent warning message: "Your computer is in Danger! I followed the instructions "Preparation Guide for use before posting a HijackThis Log" and scanned with McAfee Anti-virus, Ad-Aware, Spybot, Housecall Anti Virus and McAfee AVERT Stinger. The only one that found any issues was Spybot. It found Bravesentry and about 4 other virus' and allowed me to fix them. Unfortunately, when I re-boot my machine and run IE 6.0, the warning message re-appears. Again, Spybot is the only one that finds anything and it finds that Bravesentry is back. I fix Bravesentry and the process repeats every time I re-boot. This happened about 4 times. The last time, Bravesentry re-appeared with a new virus, HITBOX. I fixed them both and re-booted. Now, the warning message re-appears but spybot is not able to identify any problems. Also, I've installed the sygate firewall.

I'm using a DELL Latitude d600 laptop with Windows XP Pro v.5.1, Service Pack 2, IE 6.0 and a newly installed sygate firewall. Below is a copy of my hyjack this file.

Any help would be appreciated.
Thanks in advance,
Tim


Logfile of HijackThis v1.99.1
Scan saved at 8:13:03 PM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
d:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O2 - BHO: (no name) - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [test] C:\WINDOWS\EDialers\1-1-1-2-test-.exe !m
O4 - HKLM\..\Run: [Wminfo] c:\windows\system32\wminfo.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\[username]\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Uninstall.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: WWW.CONFARCHIVES.COM
O15 - Trusted Zone: http://www.evite.com
O15 - Trusted Zone: WWW.FOXEXCHANGE.COM
O15 - Trusted Zone: http://swc.palmone.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://[company name]/includes/CfxIEAx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/12097183ae273f...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158591599762
O16 - DPF: {C0A63B86-4B21-11D3-BD95-D426EF2C7949} (:-) VideoSoft FlexGrid 7.0 (Light)) - http://[company name]/includes/vsflex7L.cab
O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:81/tel2net/CABEDialer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [company name]
O17 - HKLM\Software\..\Telephony: DomainName = [company name]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [company name]
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = [company name]
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows NT/2000 (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - D:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - D:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - D:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - D:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceTOTEST - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

BC AdBot (Login to Remove)

 


m

#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:13 AM

Posted 26 September 2006 - 09:16 AM

Hi Gknot and welcome to Bleeping Computer. :thumbsup:

I will be helping you clean your computer, under the guidance of one of our expert coaches.

Please give me a little time to analyze your log. I will get back to you soon with instructions.

Cheers,
Dave

#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:13 AM

Posted 27 September 2006 - 08:09 AM

Hi again GKnot,

Before we begin I need to ask you about several lines in you HJT log, as one example, This line

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [company name]

Has the phrase "company name" where I would expect an actual IP address or a domain name. I also see "user name" in one line. I have assumed these are edits you made in an effort to protect your privacy. If so, that's fine, I don't need to know that information, but if you have not edited the log, then I need to know that.

I would also like to know about the O15 lines in your log. The general rule is never to put web sites in the trusted zone unless that is the only way that you can access them. One entry (evite.com) does not I am fairly sure meet this criterion. About the others, I need your input. If you do not know why they are there please try to find out for me. If you do know, let me know.

Now, let's get started.



Step 1. Unhide files and folders

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and close out My Computer.
9. Now your computer is configured to show all hidden files.
Step 2. Scan for Gromozon rootkit -- this is a precaution, we don't know that you have this.

Please download http://download.bleepingcomputer.com/grinler/dumpwin.zip and save it to your desktop.

Once the file has completed downloading, extract the file by right-clicking on it and selecting Extract all. Then keep pressing the Next button until you see the Finished button. Now click on the Finished button.

A folder should have opened. Now double-click on the dumpwin folder and then double-click on the dumpwin.bat file. When it has completed it will have opened a notepad. Save that Notepad file to your desktop as I will want you to post it later, but for now proceed to the next step.



Step 3. SmitfraudFix Scan

Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm



Step 4. Get back to me with the results

Open HijackThis and run a scan. Please post that log, along with the Smitfraudfix and Dumpwin reports, to a reply here along with your answers to my questions. When I have analyzed the information I will post back with more instructions.


Dave

#4 qknot

qknot
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 September 2006 - 11:24 AM

Hi Dave, Thanks for your time. Please find below the information you requested.


ANSWERS TO YOUR QUESTIONS...

Yes, I edited the domain and user name lines in my hijackthis log to protect my privacy.

Yes, I added the following web sites to my list of trusted zones, 015 lines. I have a pop-up blocker that prevented me from viewing these sites. I found that if I added these sites to the trusted list, I could view them. They are not critical and if it is for safety, I would prefer to delete these entries.

O15 - Trusted Zone: WWW.CONFARCHIVES.COM
O15 - Trusted Zone: http://www.evite.com
O15 - Trusted Zone: WWW.FOXEXCHANGE.COM
O15 - Trusted Zone: http://swc.palmone.com


HERE ARE THE RESULTS FROM DUMPWIN...

REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


HERE ARE THE RESULTS FROM SMITHFRAUDFIX...

SmitFraudFix v2.100

Scan done at 9:00:40.55, Wed 09/27/2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

H:\


C:\WINDOWS

C:\WINDOWS\xpupdate.exe FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\touimet


C:\Documents and Settings\touimet\Application Data

C:\Documents and Settings\touimet\Application Data\Install.dat FOUND !

Start Menu


C:\DOCUME~1\touimet\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End


HERE ARE THE RESULTS FROM HIJACK THIS...

Logfile of HijackThis v1.99.1
Scan saved at 9:17:14 AM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
d:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\xpupdate.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O2 - BHO: (no name) - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [test] C:\WINDOWS\EDialers\1-1-1-2-test-.exe !m
O4 - HKLM\..\Run: [Wminfo] c:\windows\system32\wminfo.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\[USER NAME]\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Uninstall.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: WWW.CONFARCHIVES.COM
O15 - Trusted Zone: http://www.evite.com
O15 - Trusted Zone: WWW.FOXEXCHANGE.COM
O15 - Trusted Zone: http://swc.palmone.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://[DOMAN NAME]/includes/CfxIEAx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/12097183ae273f...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158591599762
O16 - DPF: {C0A63B86-4B21-11D3-BD95-D426EF2C7949} (:-) VideoSoft FlexGrid 7.0 (Light)) - http://[DOMAIN NAME]/includes/vsflex7L.cab
O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:81/tel2net/CABEDialer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [DOMAIN NAME]
O17 - HKLM\Software\..\Telephony: DomainName = [DOMAIN NAME]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [DOMAIN NAME]
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = [DOMAIN NAME]
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows NT/2000 (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - D:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - D:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - D:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - D:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceTOTEST - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

#5 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:13 AM

Posted 28 September 2006 - 11:57 AM

Hi again Gknot,

First thing, before we clean up your computer, we need you to submit a file for analysis. This will be a great help to the developer of the Smitfraudfix tool, which he must constantly update to keep abreast of the latest mutations in that far-flung malware family.

Before submitting, please be sure that you have Windows set to show all files. I asked you to do this in my last post; if you have since put those settings back to their defaults, please go through that step again.

Then click on the following link:

http://www.bleepingcomputer.com/submit-mal....php?channel=12

Please fill out all the requested information, browse to the following files in bold and click the Submit File button:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe

Now as to your situation:

Thanks for the clarifications. We try to respect people's privacy here at Bleeping Computer and I understand why you might want to edit the logfile as you did. I have to tell you upfront that one of the steps in your fix involves the use of a powerful antispyware program called Ewido. In order to confirm that your computer has been cleaned, I will need to see a logfile from that program. Unfortunately (or not) it is very thorough and generates a long report, including many lines from the C:\documents and settings\usernname\ folder, and other paths that may have your username in them. You can certainly edit the file before submitting but it won't be a five minute job. If you edit the file be sure not to delete any lines, just substitute [user name] or [company name] as you did for your HJT log.

Regarding the O15s, there is a strong argument to be made that it is a bad idea to give any website the kind of free access to your system that the Trusted Zone implies. I suggest you look into your popup blocker application and see if there is not some intermediate setting that would enable you to view these sites without giving them permission to load files onto your computer and run them without your approval (which is what trusted zone sites can do). Ultimately it's your choice, but I have put the O15s on the list of lines to be fixed. If you want, you can just leave them out when you do the HijackThis fix.

One piece of good news (if you didn't guess it by the log file) is that you do not have Gromozon. Just garden variety malware :thumbsup:

Let's continue with cleaning your computer.


Step 1. Disable real-time antispyware programs and download Ewido and ATF Cleaner


We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.


For the same reason, you also need to disable Spybot's Tea Timer:Open Spybot, and on the top menu bar, select Mode, then on the menu that opens, select Advanced.
New options will appear on the left-side panel. Click on the "+" next to Tools, then click on Resident.
On the right hand panel, Uncheck the box marked Resident "Tea Timer" Active.
Close the program.

Same speech: you can re-activate Tea Timer after your computer is clean. To do this, just follow these steps again and put a check mark in the box.


Next, download ewido anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run ewido and update the definition files.
  • On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
Now close Ewido. Do not run it yet.


Finally, use the link on this page to download ATFCleaner. The program requires no installation; just save it to your desktop. You will use it later.



Step 2. Smitfraudfix cleaning

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Step 3. Run ewido in safe mode

Reboot into safe mode.
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  • Ewido will now begin the scanning process, be patient this may take a little time.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close ewido.
Step 4. HijackThis fix (still in safe mode)

Open HijackThis and run a scan. Place a check next to the following lines, if found (do not be concerned if some are missing):O2 - BHO: (no name) - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - (no file)
O4 - HKLM\..\Run: [test] C:\WINDOWS\EDialers\1-1-1-2-test-.exe !m
O4 - HKLM\..\Run: [Wminfo] c:\windows\system32\wminfo.exe
O4 - Global Startup: Uninstall.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O15 - Trusted Zone: WWW.CONFARCHIVES.COM
O15 - Trusted Zone: http://www.evite.com
O15 - Trusted Zone: WWW.FOXEXCHANGE.COM
O15 - Trusted Zone: http://swc.palmone.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/12097183ae273f...ip/RdxIE601.cab
O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:81/tel2net/CABEDialer.cab

Now, make sure all other windows on your dektop are closed, then select Fix Checked. Then close HijackThis.


Step 5. Delete files and folders in safe mode


Use Windows Explorer to navigate to the following and delete if found:C:\WINDOWS\EDialers (folder)
c:\windows\system32\wminfo.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe
C:\Windows\xpupdate.exe

Step 6. Take out the Trash

Double-click the ATFCleaner icon on your desktop to launch the program. For this first run, check the select all box on the main page, then click Empty selected. Then, if you use Firefox or Opera, click on thoe appropriate tab and repeat the same drill.



Step 7. Reboot into Normal mode and get back to me

Reboot the computer into normal mode.

Run another HijackThis scan, and post that log, along with the Ewido log and the Smitfraudfix report, to a reply here. Also please let me know how the computer is running.

Good luck--
Dave

#6 qknot

qknot
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 September 2006 - 10:28 PM

Hi Dave,

I submitted the file for analysis. I didn't edit anything. My original concern was posting my log file on a siter where it might be viewed publicly. Here are the log files that you requested. I couldn't find the 'trusted zones' listed in my popup blocker so I killed them using hijack this. By all accounts, I would say the problem is fixed---the pc is running fine. Please let me know if you see anything in the files below that I should further address.

Thanks for your help,
Tim



PS. I can't believe what a huge amount of work it is to get this taken care of! I really appreciate your help. When we're done, I want to make a donation and have a question about how to best allocate donations across all the companies that provided solutions in this process. Is the best way to go to each company using their donation buttons? Or is there a simpler way?





SmitFraudFix v2.100

Scan done at 17:07:25.38, Thu 09/28/2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\1024\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:13 AM

Posted 29 September 2006 - 05:35 AM

Hi Tim,

I only see the Smitfraud log here. Please post the Ewido and HijackThis logs as well.

#8 qknot

qknot
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 29 September 2006 - 08:30 AM

Hi Dave, My apologies, here is the SmitFraudFix again along with the other log files...


SmitFraudFix v2.100

Scan done at 17:07:25.38, Thu 09/28/2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\1024\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End












---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:55:15 PM 9/28/2006

+ Scan result:



C:\Documents and Settings\touimet\Cookies\touimet@2o7[1].txt ->

TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and

Settings\touimet\Cookies\touimet@msnportal.112.2o7[1].txt ->

TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@2o7[2].txt -> TrackingCookie.2o7 :

Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@dowjones.122.2o7[1].txt ->

TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@microsofteup.112.2o7[1].txt ->

TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Cookies\touimet@adbrite[2].txt ->

TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and

Settings\touimet\Cookies\touimet@ads.addynamix[1].txt ->

TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Cookies\touimet@z1.adserver[1].txt

-> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\Documents and

Settings\touimet\Cookies\touimet@citi.bridgetrack[1].txt ->

TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@citi.bridgetrack[1].txt ->

TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@burstnet[1].txt ->

TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@ehg-cbot.hitbox[2].txt ->

TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@ehg-techtarget.hitbox[2].txt ->

TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@hitbox[2].txt -> TrackingCookie.Hitbox

: Cleaned with backup (quarantined).
C:\Documents and

Settings\touimet\Cookies\touimet@data2.perf.overture[1].txt ->

TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and

Settings\touimet\Cookies\touimet@data4.perf.overture[1].txt ->

TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Cookies\touimet@overture[1].txt ->

TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and

Settings\touimet\Cookies\touimet@perf.overture[1].txt ->

TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and

Settings\touimet\Cookies\touimet@bs.serving-sys[1].txt ->

TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Cookies\touimet@serving-sys[1].txt

-> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@serving-sys[2].txt ->

TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and

Settings\touimet\Cookies\touimet@adopt.specificclick[1].txt ->

TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Cookies\touimet@anad.tacoda[1].txt

-> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Cookies\touimet@anat.tacoda[2].txt

-> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Cookies\touimet@tacoda[2].txt ->

TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@tacoda[2].txt -> TrackingCookie.Tacoda

: Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@blp.valueclick[2].txt ->

TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and Settings\touimet\Local

Settings\Temp\Cookies\touimet@valueclick[1].txt ->

TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and

Settings\touimet\Cookies\touimet@ad.yieldmanager[2].txt ->

TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\quarantine\aalfclmd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\angddlmd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\eccnjmmd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\gpffopmd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\hncnljmd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\hpfkbomd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\icnlimmd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\jpiobomd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\kkgpopmd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\mkgffkmd.exe -> Trojan.Dialer.ay : Cleaned with backup

(quarantined).
C:\quarantine\CABEDialer.dll -> Trojan.Dialer.fe : Cleaned with

backup (quarantined).
C:\Documents and Settings\All Users\Start

Menu\Programs\Startup\Uninstall.exe -> Trojan.Fakealert : Cleaned

with backup (quarantined).
C:\Documents and Settings\touimet\Local Settings\Temp\566034.exe ->

Trojan.Fakealert : Cleaned with backup (quarantined).
C:\System Volume

Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0000

265.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\System Volume

Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001

441.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\System Volume

Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7\A00001

80.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\System Volume

Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP9\A00002

28.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).


::Report end











Logfile of HijackThis v1.99.1
Scan saved at 7:51:26 PM, on 9/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Executive

Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
d:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL

= http://smbusiness.dellnet.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} -

C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} -

C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file

missing)
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} -

C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI

Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program

Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe"

-servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network

Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Synchronization Manager]

%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP

Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe

-startgui
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program

Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program

Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)]

C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program

Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware

4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware

6\Ad-aware.exe" +c
O4 - HKLM\..\RunOnce: [DELDIR0.EXE]

"C:\DOCUME~1\touimet\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program

Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent]

"C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for

Windows Mobile\PdaNetPC.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program

Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program

Files\Handspring\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program

Files\Handspring\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program

Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}

- C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}

- C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet

Control) - http://bigyvm.dc.khimetrics.com/includes/CfxIEAx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl

Class) -

http://update.microsoft.com/microsoftupdat...ols/en/x86/clie

nt/muweb_site.cab?1158591599762
O16 - DPF: {C0A63B86-4B21-11D3-BD95-D426EF2C7949} (:-) VideoSoft

FlexGrid 7.0 (Light)) -

http://bigyvm.dc.khimetrics.com/includes/vsflex7L.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =

khimetrics.com
O17 - HKLM\Software\..\Telephony: DomainName = khimetrics.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

khimetrics.com
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows NT/2000

(BackupExecAgentAccelerator) - VERITAS Software Corporation -

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) -

Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco

Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. -

C:\Program Files\Executive

Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware

Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony

Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation -

C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc.

- C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. -

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network

Associates, Inc. - C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network

Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) -

Network Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -

C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation -

D:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation -

D:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner -

D:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner -

D:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner -

D:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner -

D:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner -

D:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner -

D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceTOTEST - Oracle Corporation -

d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. -

C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: RegSrvc - Intel Corporation -

C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation -

C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel

Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate

Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program

Files\TightVNC\WinVNC.exe" -service (file missing)

#9 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:13 AM

Posted 29 September 2006 - 09:54 PM

Hi again Tim,

Your logs are looking good. The HijackThis log is clean, and your Ewido log shows no active malware. I think you may be in the clear at this point; however, I'm going to ask you to do just one more round of scans, because you are one of the first people to have come up with (or down with) a new variant of BraveSentry. Your submission was successful, and S!Ri, the developer of Smitfraudfix, has updated his program to find and remove that uninstall.exe file. I want to thank you for helping us in this way.

I also want to thank you for your generous offer of a donation. My advice would be to give priority to those organizations and individuals that have no commercial interest in what they are doing. If you want to thank a company like Grisoft (Ewido), you can buy the commercial version of their program -- which often includes nice extra features, by the way. In my book, individuals like S!Ri at http://siri.urz.free.fr/Fix/SmitfraudFix_En.php#donation or organizations like, dare I say it, Bleeping Computer at http://www.bleepingcomputer.com/supportus.php#donation, who do this basically out of the goodness of their hearts, would be at the top of the list.

Now, just to be sure there's nothing else lurking, please delete your current Smitfraudfix folder. Then go to the same link you used before and download, unpack and run the brand new updated version of Smitfraudfix. Just run option one and be sure to save the logfile.

Then go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

Please submit those two logs to a reply here. I hate to ask this but I will -- before you select and copy the text, please make sure that "Word Wrap" is turned off in Notepad. If it's turned on the line spacing of the posted log comes out weird and makes it hard to read.

So -- post those logs and with any luck, we can give you the "all clear" and some tips on keeping your system clean.

Cheers,
Dave

#10 qknot

qknot
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 02 October 2006 - 04:27 PM

Hi Dave, The Kaspersky scan found 2 viruses and 12 infected files. I copied the files you requested below (with word wrap turned on). Please let me know what you think.

Tim

PS. Thanks for your help simplifying my donation question.




SmitFraudFix v2.104

Scan done at 9:37:50.57, Mon 10/02/2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\touimet


C:\Documents and Settings\touimet\Application Data

C:\Documents and Settings\touimet\Application Data\Install.dat FOUND !

Start Menu


C:\DOCUME~1\touimet\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End






KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Monday, October 02, 2006 2:14:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/10/2006
Kaspersky Anti-Virus database records: 215157


Scan Settings
Scan using the following antivirus databasestandard
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
C:\
D:\
E:\
X:\
Z:\

Scan Statistics
Total number of scanned objects128744
Number of viruses found2
Number of infected objects12 / 0
Number of suspicious objects0
Duration of the scan process02:12:28

Infected Object NameVirus NameLast Action
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\DSS\MachineKeys\164320194426e0ad15c9eff9861202dc_7b71fbce-dff3-42c2-9259-d2367eb8daa9
Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\DSS\MachineKeys\4e33417333e767a776cab7737f3b21fe_7b71fbce-dff3-42c2-9259-d2367eb8daa9
Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\DSS\MachineKeys\ba156d5d46f47abe258648c843629795_7b71fbce-dff3-42c2-9259-d2367eb8daa9
Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows
Defender\Support\WDLog-09172006-061037.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network
Associates\Common Framework\Db\Agent_TOUIMETXP1.log Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\Network
Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped


C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\QBDataServiceUser\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\QBDataServiceUser\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\QBDataServiceUser\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\QBDataServiceUser\ntuser.dat.LOG Object is
locked skipped

C:\Documents and Settings\touimet\Application Data\$_hpcst$.hpc Object is
locked skipped

C:\Documents and Settings\touimet\Application
Data\Microsoft\Outlook\xxx@xxx.NK2 Object is locked skipped

C:\Documents and Settings\touimet\Application
Data\Microsoft\Outlook\xxx@xxx.srs Object is locked skipped

C:\Documents and Settings\touimet\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked
skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped


C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped


C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped


C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped


C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\Microsoft\Outlook\outlook.ost/Offline store/Root -
Mailbox/IPM_SUBTREE/Deleted Items/20 Jan 2006 05:36 from
member@ebay.com:Message from eBay Member.html Infected:
Trojan-Spy.HTML.Bayfraud.kh skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\Microsoft\Outlook\outlook.ost Mail MS Mail: infected - 1 skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\Microsoft\Outlook\outlook0.ost Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\touimet\Local Settings\Application
Data\Microsoft\Windows
Defender\FileTracker\{35B17C65-BC52-4045-BBDE-148D2BD746BC} Object is
locked skipped

C:\Documents and Settings\touimet\Local
Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\touimet\Local
Settings\History\History.IE5\MSHist012006100220061003\index.dat Object is
locked skipped

C:\Documents and Settings\touimet\Local
Settings\Temp\ExchangePerflog_8484fa3196604de084feb70a.dat Object is
locked skipped

C:\Documents and Settings\touimet\Local Settings\Temp\WCESLog.log Object
is locked skipped

C:\Documents and Settings\touimet\Local Settings\Temp\~DFF326.tmp Object
is locked skipped

C:\Documents and Settings\touimet\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\touimet\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\touimet\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Sygate\SPF\debug.log Object is locked skipped

C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped

C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped

C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped

C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001529.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001530.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001531.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001532.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001533.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001534.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001535.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001536.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001537.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP15\A0001538.exe
Infected: Trojan.Win32.Dialer.ay skipped

C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\change.log
Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\ModemLog_Communications cable between two computers.txt Object
is locked skipped

C:\WINDOWS\Prefetch\layout.ini Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{BCDFD5A9-44EE-4BE8-A3E3-4C6845386CC1}.bin
Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR\httperr1.log Object is locked skipped


C:\WINDOWS\SYSTEM32\ndmp.log Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked
skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\oracle\ora92\network\log\listener.log Object is locked skipped

D:\oracle\oradata\TOTEST\CONTROL01.CTL Object is locked skipped

D:\oracle\oradata\TOTEST\CONTROL02.CTL Object is locked skipped

D:\oracle\oradata\TOTEST\CONTROL03.CTL Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

Scan process completed.

#11 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:13 AM

Posted 04 October 2006 - 07:37 AM

Hi again Tim,

Sorry for the delay in getting back to you. My coach and I have both been doing some research on your logs.

Things are looking pretty good. The new Smitfraudfix scan only found the same install.dat file as before. Navigate to

C:\Documents and Settings\touimet\Application Data\Install.dat

and just delete the file. It's not dangerous in itself (note that Kaspersky did not flag it), but it was created by the malware installation routine so let's get rid of it. .

KAV actually found only two threats, neither of which are active at the moment. One is a dangerous phishing email that, because of the way Outlook organizes its folder database, had been flagged twice. Look in your Offline folders/Deleted Items for an email dated 20 Jan 2006 05:36 from member@ebay.com and delete it. Or just empty Deleted Items. I'm not familiar with Outlook so I can't give more specific instructions; if you can't find it, let me know and I'll ask around.

The other item is a dialer trojan. It has been backed up every time a restore point is made, that is why there are several instances of the same. They won't activate unless you use System Restore. To fix that we need to delete all your restore points by disabling then re-enabling System Restore with a reboot in between.

For this I refer you to this BC tutorial:

http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

Last thing I need from you is a fresh HijackThis log. Please post that to a reply here. Also, please tell me how your computer is running and if everything is as you like, including your desktop, also if you had any problems with the System Restore flush or finding that Deleted Items folder in your Offline Files.

Good luck,

Dave

Edited by DaveM59, 04 October 2006 - 07:59 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users