Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected W/ Trojan-spy Win32@mx


  • This topic is locked This topic is locked
10 replies to this topic

#1 smoothbro21

smoothbro21

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 21 October 2006 - 01:57 PM

sorry i cant tell you what is wrong with my computer but it is not working right.the webpage has changed to www.iehomepages.com and im getting pop-ups saying i have a virus and other pop-ups with these paid ads to fix the problem.i am using firefox right now but want internet explorer to work again.here is my log


Logfile of HijackThis v1.99.1
Scan saved at 12:47:24 PM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\isnotify.exe
E:\WINDOWS\system32\issearch.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\WgaTray.exe
E:\Program Files\Windows Live Safety Center\wlscUploader.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - E:\WINDOWS\system32\ixt0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] E:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\RunOnce: [ContinueOneCareInstall] rundll32 E:\WINDOWS\system32\winsswebagent.dll,LaunchIEAfterReboot
O4 - Startup: Webshots.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = E:\Program Files\Exif Launcher\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: lxcf_device - - E:\WINDOWS\system32\lxcfcoms.exe

Edited by smoothbro21, 21 October 2006 - 02:43 PM.


BC AdBot (Login to Remove)

 


#2 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:06:48 AM

Posted 21 October 2006 - 02:40 PM

Welcome to Bleeping Computer, smoothbro21.

* You are missing an antivirus program on your computer.

You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

* I need to see another HijackThis log, but you need to extract (unzip) HijackThis first. Otherwise the backups made when items are fixed won't be secure. The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

* Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Posted ImagePosted Image

Olivier

#3 smoothbro21

smoothbro21
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 21 October 2006 - 03:42 PM

this is my log from smitfraudfix and hijackthis.i erased all hijack this logs from before and downloaded new hijack this from the link you gave me.i downloaded bit-defender and it came up with 3 infected viruses that i think erased. i am not to sure?i hope this helps thanks


SmitFraudFix v2.112

Scanning E:\...
Scanning E:\WINDOWS\...
Scanning E:\WINDOWS\system...

Scanning E:\WINDOWS\Web...
Scanning E:\WINDOWS\system32...
Scanning E:\WINDOWS\system32\LogFiles...
Scanning E:\Documents and Settings\user...
Scanning E:\Documents and Settings\user\Application Data...
Scanning Start Menu...
Scanning E:\DOCUME~1\user\FAVORI~1...
Scanning Desktop...
Scanning E:\Program Files...
Scanning corrupted keys
Scanning Desktop Components
Scanning Sharedtaskscheduler
Scanning AppInit_DLLs
Scanning pe386-msguard-lzx32
Scanning wininet.dll infection


End


Logfile of HijackThis v1.99.1
Scan saved at 2:34:47 PM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\isnotify.exe
E:\WINDOWS\system32\issearch.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\WgaTray.exe
E:\Program Files\Windows Live Safety Center\wlscUploader.exe
E:\WINDOWS\system32\lxcfcoms.exe
E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
E:\Program Files\Softwin\BitDefender8\bdnagent.exe
E:\Program Files\Softwin\BitDefender8\bdswitch.exe
E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
e:\program files\softwin\bitdefender8\bdmcon.exe
E:\WINDOWS\system32\cmd.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - E:\WINDOWS\system32\ixt0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] E:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [BDMCon] "E:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "E:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\RunOnce: [ContinueOneCareInstall] rundll32 E:\WINDOWS\system32\winsswebagent.dll,LaunchIEAfterReboot
O4 - Startup: Webshots.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = E:\Program Files\Exif Launcher\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: lxcf_device - - E:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:06:48 AM

Posted 22 October 2006 - 09:34 AM

Hi smoothbro21,

Could you run again SmitFraudFix selecting option 1 and post back the entire log, please?

Edited by stonangel, 22 October 2006 - 09:35 AM.

Posted ImagePosted Image

Olivier

#5 smoothbro21

smoothbro21
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 22 October 2006 - 11:03 AM

here is my new log thanks.

SmitFraudFix v2.112

Scanning E:\...
Scanning E:\WINDOWS\...
Scanning E:\WINDOWS\system...
Scanning E:\WINDOWS\Web...
Scanning E:\WINDOWS\system32...
Scanning E:\WINDOWS\system32\LogFiles...
Scanning E:\Documents and Settings\user...
Scanning E:\Documents and Settings\user\Application Data...
Scanning Start Menu...
Scanning E:\DOCUME~1\user\FAVORI~1...
Scanning Desktop...
Scanning E:\Program Files...
Scanning corrupted keys
Scanning Desktop Components
Scanning Sharedtaskscheduler
Scanning AppInit_DLLs
Scanning pe386-msguard-lzx32
Scanning wininet.dll infection

End

#6 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:06:48 AM

Posted 22 October 2006 - 11:44 AM

Hi smoothbro21,

* You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

* First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

* Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

* Still in Safe mode,

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the C:\rapport.txt, the AVG Anti-Spyware report scan and a new hijackthis log, please.

Posted ImagePosted Image

Olivier

#7 smoothbro21

smoothbro21
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 22 October 2006 - 01:30 PM

SmitFraudFix v2.112

Scan done at 11:29:47.02, Sun 10/22/2006
Run from E:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:16:54 PM 10/22/2006

+ Scan result:



HKU\S-1-5-21-1060284298-2111687655-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : Cleaned with backup (quarantined).
E:\Documents and Settings\user\Cookies\user@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\user\Cookies\user@msnservices.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\user\Cookies\user@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\user\Cookies\user@sportingnews.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\user\Cookies\user@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.54:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
E:\Documents and Settings\user\Cookies\user@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
E:\Documents and Settings\user\Cookies\user@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
E:\Documents and Settings\user\Cookies\user@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.53:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
E:\Documents and Settings\user\Cookies\user@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
E:\Documents and Settings\user\Cookies\user@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.42:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.44:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.45:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.47:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.48:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.49:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.50:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
E:\Documents and Settings\user\Cookies\user@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
E:\Documents and Settings\user\Cookies\user@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
E:\Documents and Settings\user\Cookies\user@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.51:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.52:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
E:\Documents and Settings\user\Cookies\user@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
E:\Documents and Settings\user\Cookies\user@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
E:\Documents and Settings\user\Cookies\user@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.9:E:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s3lzm6b9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
E:\Documents and Settings\user\Cookies\user@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
E:\Documents and Settings\user\Cookies\user@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
E:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
E:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 12:22:13 PM, on 10/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] E:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Webshots.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = E:\Program Files\Exif Launcher\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxcf_device - - E:\WINDOWS\system32\lxcfcoms.exe

#8 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:06:48 AM

Posted 22 October 2006 - 02:44 PM

Hi smoothbro21,

* Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

* Please Go to Start> Control Panel> Add or Remove Programs and uninstall the following if listed:

SpywareBot

Spyware remover of somewhat dubious repute; see here

* Please re-open HijackThis and and scan. Check the below entries:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O4 - HKLM\..\Run: [SpywareBot] E:\Program Files\SpywareBot\SpywareBot.exe -boot

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejeweled...aploader_v6.cab

Close any open windows except for HijackThis then click on Fix checked.

* Delete the following folder if still present:

E:\Program Files\SpywareBot

* Restart your computer, install an antivirus program, post back a new hijackthis log for review and tell us how the things are running now, please.
Posted ImagePosted Image

Olivier

#9 smoothbro21

smoothbro21
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 22 October 2006 - 06:09 PM

Hello, This is my most recent hijack log, everythign seems to be running better now, my home page is staying, and I haven't had any popups. Thank you so much for your help! Hopefully my computer's clean, and that this last log looks good to you, if you see anything else please let me know!! Thanks again!!!!!!!!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 4:59:12 PM, on 10/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [LXCFCATS] rundll32 E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Webshots.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = E:\Program Files\Exif Launcher\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxcf_device - - E:\WINDOWS\system32\lxcfcoms.exe

#10 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:06:48 AM

Posted 23 October 2006 - 10:41 AM

Hi smoothbro21,

Your log looks fine.

* Please install an antivirus program as soon as you can and run a complete scan of the computer:* Please create a new restore point as explained here:
http://www.microsoft.com/windowsxp/using/h...temrestore.mspx

* Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1: Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!
Posted ImagePosted Image

Olivier

#11 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:06:48 AM

Posted 24 October 2006 - 12:53 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted ImagePosted Image

Olivier




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users