Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Im In Fected


  • This topic is locked This topic is locked
23 replies to this topic

#1 Patty31668

Patty31668

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 October 2006 - 08:11 AM

Hello im not sure whats going on im infected or hijacked will you help me ? it took over my home page wont let me put my orginial one back at the bottom of my computer it has a security alert. im not sure what to do a friend gave me this site said you were wonderful and would be able to help me
Thank you so much Patty31168

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 October 2006 - 10:37 AM

Hello Patty31668, welcome to BleepingComputer! My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
* Click here to download Hijackthis.
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Post back with a HijackThis log,
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Patty31668

Patty31668
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 October 2006 - 11:01 AM

ok i ran the hijacked log this is what i got

Logfile of HijackThis v1.99.1
Scan saved at 11:53:12 AM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MMediaCodec\isamonitor.exe
C:\Program Files\MMediaCodec\pmsngr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MMediaCodec\pmmon.exe
C:\Program Files\MMediaCodec\isamini.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Little Fighter 2 Toolbar Helper - {AB41010D-4804-4793-A6A2-3B5EBE2348DD} - C:\Program Files\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll (file missing)
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\MMediaCodec\isaddon.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Little Fighter 2 Toolbar - {C11483F7-D7D8-4804-98D8-6055470BB989} - C:\Program Files\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll (file missing)
O3 - Toolbar: Protection Bar - {44d22a64-2399-4edf-8b32-f2c729c1e8a7} - C:\Program Files\MMediaCodec\iesplugin.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PPort9reminder] "C:\Program Files\ScanSoft\PaperPort\WebEreg\Ereg.exe" -r "C:\Program Files\ScanSoft\PaperPort\WebEreg\ereg.ini"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [BPS Security Console] C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136920640109
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 October 2006 - 01:45 PM

Hey Patty31668

======

* Download Roguescanfix
Download it to your desktop.
Doubleclick roguescanfix_setup.exe
Select the language setup and click ok.
Proceed with the installation. Make sure the 'Start Roguescanfix' is checked.
Once you click Finish, it will start the fix.

Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here.
Unzip it and place BFU.exe in the Roguescanfix-folder, present in your Program Files-folder. Then doubleclick Roguescanfix.bat.


======

When you start roguescanfix.bat you'll see a menu:
1. Run Roguescanfix
2. Run sharedtasksrem

Type 1 and click enter for Run Roguescanfix
(Note! Don't click 2 unless advised!!)

The tool will uninstall some programs and delete related files and registrykeys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.
Post the log (task.txt) that will open in your next reply. (task.txt will be present in folder Program Files\Roguescanfix)

======

Please post back with the following (you may need more than one reply):
-Task.txt
-New HijackThis log

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Patty31668

Patty31668
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 October 2006 - 02:40 PM

ok i did it this is what is says

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 October 2006 - 02:46 PM

Can I have a new HijackThis log, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Patty31668

Patty31668
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 October 2006 - 02:51 PM

what do you mean a new hijak file.after i performed this a a brute uninforse installer popped up want me to excute or exit what do i do

#8 Patty31668

Patty31668
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 October 2006 - 02:57 PM

when i did what you said this is what popped up in the task txt is this what you mean? and like i said the btute force popped up and wants me to excute or exit what do i do ? and then do i uninstall the stuff you told me thn restart my computer?

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 October 2006 - 03:00 PM

Ok, I think I get what your problem is now...
Click Execute, reboot, then uninstall it.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 Patty31668

Patty31668
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 October 2006 - 03:02 PM

ok i think this is what you are looking for sorry i hope it helps



BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 3:57:17 PM, on 10/17/2006

Option pause between commands: 100 ms
Failed: FileDelete C:\Documents and Settings\Edward\Application Data\Microsoft\Internet Explorer\QuickLaunch\SpyFalcon*.* (operation failed)
Failed: FileDelete C:\Documents and Settings\Edward\Application Data\Microsoft\Internet Explorer\QuickLaunch\SpywareQuake*.* (operation failed)
Failed: FileDelete C:\Documents and Settings\Edward\Application Data\Microsoft\Internet Explorer\QuickLaunch\Spyware Sherif*.* (operation failed)
Failed: FolderDelete C:\Program Files\eMedia Codec (folder not found)
Failed: FolderDelete C:\Program Files\Media-Codec (folder not found)
Failed: FolderDelete C:\Program Files\spyfalcon (folder not found)
Failed: FolderDelete C:\Documents and Settings\Edward\Start Menu\Programs\SpyFalcon (folder not found)
Failed: FolderDelete C:\Documents and Settings\Edward\Start Menu\Programs\SpywareQuake (folder not found)
Failed: FolderDelete C:\Program Files\SpywareQuake (folder not found)
Failed: FolderDelete C:\WINDOWS\system32\1024 (folder not found)
Failed: FolderDelete C:\Program Files\Trust Cleaner (folder not found)
Failed: FolderDelete C:\Program Files\TrustIn Contextual (folder not found)
Failed: FolderDelete C:\Program Files\TrustIn Bar (folder not found)
Failed: FolderDelete C:\Program Files\TrustIn Popups (folder not found)
Failed: FolderDelete C:\Program Files\TrustIn Search (folder not found)
Failed: FolderDelete C:\Program Files\SpywareQuake.com (folder not found)
Failed: FolderDelete C:\Program Files\SpywareStrike (folder not found)
Failed: FolderDelete C:\Program Files\SpyQuake2.com (folder not found)
Failed: FolderDelete C:\Documents and Settings\Edward\Start Menu\Programs\SpyQuake2.com (folder not found)
Failed: FolderDelete C:\Program Files\IntCodec (folder not found)
Failed: FolderDelete C:\Program Files\virusburst (folder not found)
Failed: FolderDelete C:\Program Files\virus-burst (folder not found)
Failed: FolderDelete C:\Program Files\strCodec (folder not found)
Failed: FolderDelete C:\Program Files\vb (folder not found)
Failed: FolderDelete C:\Program Files\virusburster (folder not found)
Script completed.

#11 Patty31668

Patty31668
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 October 2006 - 03:08 PM

Sorry to keep bothering you but do i delete the hijacked thing you told me to down load eariler to?

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 October 2006 - 03:15 PM

No, please keep HijackThis. This is the most useful tool we have at detecting malware, so I'll need you to keep running me some scans from that, to check if all the malware on your PC has been deleted or not.

======

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

======

Post back with the log created.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Patty31668

Patty31668
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 October 2006 - 03:54 PM

here it is im lost now it was gone off my computer but its back again?

Works on remote machines with the Microsoft Telnet Server (tlntsvr) found on Windows 2000 and XP or with BeyondExec for Windows NT4/2000/XP.

View processes, owners, and CPU time . .

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

ImageName PID Threads Priority CPU%
[System Process] 0 1 0 100 Error 0x6 : The handle is invalid.
System 8 43 8 0 Error 0x5 : Access is denied.
SMSS.EXE 180 6 11 0 NT AUTHORITY\SYSTEM
CSRSS.EXE 204 11 13 0 NT AUTHORITY\SYSTEM
WINLOGON.EXE 224 16 13 0 NT AUTHORITY\SYSTEM
SERVICES.EXE 252 33 9 0 NT AUTHORITY\SYSTEM
LSASS.EXE 264 16 9 0 NT AUTHORITY\SYSTEM
svchost.exe 436 10 8 0 NT AUTHORITY\SYSTEM
spoolsv.exe 468 15 8 0 NT AUTHORITY\SYSTEM
CrypServ.exe 496 3 13 0 NT AUTHORITY\SYSTEM
svchost.exe 512 28 8 0 NT AUTHORITY\SYSTEM
hidserv.exe 532 4 8 0 NT AUTHORITY\SYSTEM
jtagserver.exe 560 3 8 0 NT AUTHORITY\SYSTEM
mdm.exe 584 6 8 0 NT AUTHORITY\SYSTEM
nvsvc32.exe 628 2 8 0 NT AUTHORITY\SYSTEM
regsvc.exe 664 2 8 0 NT AUTHORITY\SYSTEM
mstask.exe 704 6 8 0 NT AUTHORITY\SYSTEM
stisvc.exe 728 4 8 0 NT AUTHORITY\SYSTEM
WinMgmt.exe 804 3 8 0 NT AUTHORITY\SYSTEM
mspmspsv.exe 876 2 8 0 NT AUTHORITY\SYSTEM
svchost.exe 896 5 8 0 NT AUTHORITY\SYSTEM
explorer.exe 616 15 8 0 NEPTUNE\Administrator
mixer.exe 1092 3 8 0 NEPTUNE\Administrator
PRISMSTA.exe 1048 1 8 0 NEPTUNE\Administrator
rundll32.exe 952 2 8 0 NEPTUNE\Administrator
DIRECTCD.EXE 960 3 8 0 NEPTUNE\Administrator
internat.exe 1180 1 8 0 NEPTUNE\Administrator
OSA.EXE 1192 2 8 0 NEPTUNE\Administrator
Icq.exe 1200 11 8 0 NEPTUNE\Administrator
devenv.exe 1324 4 8 0 NEPTUNE\Administrator
IEXPLORE.EXE 1140 7 8 0 NEPTUNE\Administrator
CMD.EXE 1340 1 8 0 NEPTUNE\Administrator
Process.exe 1132 1 8 0 NEPTUNE\Administrator

#14 Patty31668

Patty31668
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 October 2006 - 04:04 PM

here is something else i got
Logfile of HijackThis v1.99.1
Scan saved at 4:59:06 PM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MMediaCodec\isamonitor.exe
C:\Program Files\MMediaCodec\pmsngr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MMediaCodec\pmmon.exe
C:\Program Files\MMediaCodec\isamini.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Little Fighter 2 Toolbar Helper - {AB41010D-4804-4793-A6A2-3B5EBE2348DD} - C:\Program Files\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll (file missing)
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\MMediaCodec\isaddon.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Little Fighter 2 Toolbar - {C11483F7-D7D8-4804-98D8-6055470BB989} - C:\Program Files\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll (file missing)
O3 - Toolbar: Protection Bar - {44d22a64-2399-4edf-8b32-f2c729c1e8a7} - C:\Program Files\MMediaCodec\iesplugin.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PPort9reminder] "C:\Program Files\ScanSoft\PaperPort\WebEreg\Ereg.exe" -r "C:\Program Files\ScanSoft\PaperPort\WebEreg\ereg.ini"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [BPS Security Console] C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136920640109
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 October 2006 - 04:10 PM

Ok, I think you're getting confused here, so I'll try and simplify what I want you to do.....

======

Please download SmitfraudFix (by S!Ri) <--Click the red bit, and Save it

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, copy/paste the content of that report into your next reply.

======

This log should start something like:

SmitFraudFix v2.107

Scan done at 3:15:55.31, Tue 10/10/2006
Run from C:\Documents and Settings\Rob\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

Note that this information will be different for you, I just wanted to give you an idea of what to look out for.

======

Post that in a reply to this thread,
Thanks and good luck! :thumbsup:
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users