Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unkown Virus Or Trojan (possibly Pfukkud.t)


  • Please log in to reply
10 replies to this topic

#1 tmcdonoug100

tmcdonoug100

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 11 November 2006 - 06:51 PM

I'm trying to fix my parents computer. Upon startup, a window pops up that looks like the "Internet Exporer has encountered a problem" alert box with the options send or don't send. However, instead of IE, it says "PFUKKUD.T has encountered a problem". And of course, no internet connection can be found.

Prompt help would be greatly appreciated!


Logfile of HijackThis v1.99.1
Scan saved at 6:08:46 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\adirss.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Tom\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {1b68470c-2def-493b-8a4a-8e2d81be4ea5} - (no file)
O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O2 - BHO: (no name) - {a6f42cad-2559-48df-af30-89e480af5dfa} - (no file)
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: ASGP32.ASGP - {D8C60617-F121-4F41-984D-E841C057E55D} - C:\WINDOWS\system32\asgp32.dll
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [adir] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} (Seagate DiscWizard English) - http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 11 November 2006 - 10:24 PM

There is a mess here - do all of the following and then post the logs
=============
You have no active AntiVirus!

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
========================

DownLoad http://www.intermute.com/spysubtract/cwshr...r_download.html
Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix"
============================

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). We’ll get them next step.
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
======================

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

(It's a 2 week trial.)

* Click the Try Spy Sweeper for FreeDownload the trial link.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 tmcdonoug100

tmcdonoug100
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 12 November 2006 - 05:05 PM

the following is the hyjackthis log file after running AVG and cwshredder:

Logfile of HijackThis v1.99.1
Scan saved at 4:02:26 PM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Tom\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {1b68470c-2def-493b-8a4a-8e2d81be4ea5} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: ASGP32.ASGP - {D8C60617-F121-4F41-984D-E841C057E55D} - C:\WINDOWS\system32\asgp32.dll
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} (Seagate DiscWizard English) - http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

and this is the log file after running smitfraud:
Logfile of HijackThis v1.99.1
Scan saved at 4:02:26 PM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Tom\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {1b68470c-2def-493b-8a4a-8e2d81be4ea5} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: ASGP32.ASGP - {D8C60617-F121-4F41-984D-E841C057E55D} - C:\WINDOWS\system32\asgp32.dll
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} (Seagate DiscWizard English) - http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

#4 tmcdonoug100

tmcdonoug100
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 12 November 2006 - 05:10 PM

sorry to repost again but I still have no internet on this computer which is on a network with three other computers and all three other computers still are able to access the internet

#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 12 November 2006 - 05:44 PM

Where is the smitfraud log and the spysweeper log??????????????????


You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {1b68470c-2def-493b-8a4a-8e2d81be4ea5} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)

O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: ASGP32.ASGP - {D8C60617-F121-4F41-984D-E841C057E55D} - C:\WINDOWS\system32\asgp32.dll
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\asgp32.dll


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#6 tmcdonoug100

tmcdonoug100
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 13 November 2006 - 08:09 PM

the following are hyjack this log file,spysweeper log file and smitfraud logfile after fixing files with hyjack this and running killbox in safemode. There was only 1 temp file and it would not delete. Still cannot get internet at this computer, other 3 computers on the network do get internet. The network icon has warning. local area connection has limited or no connectivity you might not be able to access the internet or some network resources and your unable to get an IP address.
Thanx

Logfile of HijackThis v1.99.1
Scan saved at 6:08:05 PM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Tom\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} (Seagate DiscWizard English) - http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:54 PM: Shield States
5:54 PM: Spyware Definitions: 790
5:54 PM: Warning: Virus definitions files are invalid, please update your virus definitions. 220
5:53 PM: Spy Sweeper 5.2.3.2125 started
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:27 PM: Shield States
5:27 PM: Spyware Definitions: 790
5:26 PM: Warning: Virus definitions files are invalid, please update your virus definitions. 220
5:26 PM: Spy Sweeper 5.2.3.2125 started
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:47 PM: Shield States
7:46 PM: Spyware Definitions: 790
7:46 PM: Warning: Virus definitions files are invalid, please update your virus definitions. 220
7:46 PM: Spy Sweeper 5.2.3.2125 started
6:29 PM: | End of Session, Sunday, November 12, 2006 |
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:14 PM: Shield States
6:14 PM: Spyware Definitions: 790
6:14 PM: Warning: Virus definitions files are invalid, please update your virus definitions. 220
6:13 PM: Spy Sweeper 5.2.3.2125 started
6:13 PM: Spy Sweeper 5.2.3.2125 started
6:13 PM: | Start of Session, Sunday, November 12, 2006 |
********
7:43 PM: Removal process completed. Elapsed time 00:11:50
7:43 PM: Preparing to restart your computer. Please wait...
7:33 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST237.tmp". Reason: The system cannot find the file specified
7:33 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
7:33 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST237.tmp". Reason: The system cannot find the file specified
7:33 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
7:33 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST237.tmp". Reason: The system cannot find the file specified
7:33 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
7:33 PM: Quarantining All Traces: dealtime cookie
7:33 PM: Quarantining All Traces: servlet cookie
7:33 PM: Quarantining All Traces: one-time-offer cookie
7:33 PM: Quarantining All Traces: metareward.com cookie
7:33 PM: Quarantining All Traces: webtrends cookie
7:33 PM: Quarantining All Traces: techtarget cookie
7:33 PM: Quarantining All Traces: kount cookie
7:33 PM: Quarantining All Traces: sb01 cookie
7:33 PM: Quarantining All Traces: ic-live cookie
7:33 PM: Quarantining All Traces: go.com cookie
7:33 PM: Quarantining All Traces: did-it cookie
7:33 PM: Quarantining All Traces: 360i cookie
7:33 PM: Quarantining All Traces: howstuffworks cookie
7:33 PM: Quarantining All Traces: about cookie
7:33 PM: Quarantining All Traces: bizrate cookie
7:33 PM: Quarantining All Traces: gorillanation cookie
7:33 PM: Quarantining All Traces: screensavers.com cookie
7:33 PM: Quarantining All Traces: rn11 cookie
7:33 PM: Quarantining All Traces: banners cookie
7:33 PM: Quarantining All Traces: ask cookie
7:33 PM: Quarantining All Traces: cc214142 cookie
7:33 PM: Quarantining All Traces: burstbeacon cookie
7:33 PM: Quarantining All Traces: nextag cookie
7:33 PM: Quarantining All Traces: 2o7.net cookie
7:33 PM: Quarantining All Traces: homestore cookie
7:33 PM: Quarantining All Traces: overture cookie
7:33 PM: Quarantining All Traces: columbiahouse cookie
7:33 PM: Quarantining All Traces: burstnet cookie
7:33 PM: Quarantining All Traces: belnk cookie
7:33 PM: Quarantining All Traces: atwola cookie
7:33 PM: Quarantining All Traces: specificclick.com cookie
7:33 PM: Quarantining All Traces: adknowledge cookie
7:33 PM: Quarantining All Traces: yieldmanager cookie
7:33 PM: Quarantining All Traces: antispyware soldier fakealert
7:33 PM: Quarantining All Traces: cashdeluxe
7:33 PM: Quarantining All Traces: coolwebsearch (cws)
7:33 PM: Quarantining All Traces: trojan-downloader-galapoper
7:33 PM: Quarantining All Traces: bravesentry fakealert
7:32 PM: Quarantining All Traces: fakealert fake infection
7:32 PM: C:\WINDOWS\system32\wlflihqh.exe is in use. It will be removed on reboot.
7:32 PM: adwaresheriff fakealert is in use. It will be removed on reboot.
7:32 PM: Quarantining All Traces: adwaresheriff fakealert
7:32 PM: Quarantining All Traces: trojan-downloader-wstart
7:32 PM: Quarantining All Traces: daily toolbar
7:32 PM: Quarantining All Traces: blazefind
7:32 PM: Quarantining All Traces: trojan-backdoor-securemulti
7:32 PM: Quarantining All Traces: trojan-downloader-zlob
7:31 PM: Removal process initiated
7:15 PM: Traces Found: 135
7:15 PM: Full Sweep has completed. Elapsed time 00:45:10
7:15 PM: C:\WINDOWS\system32\bridge.dll (ID = 343072)
7:15 PM: C:\WINDOWS\system32\a.exe (ID = 343082)
7:15 PM: C:\WINDOWS\Pynix.dll (ID = 343063)
7:15 PM: C:\WINDOWS\BTGrab.dll (ID = 343067)
7:15 PM: C:\WINDOWS\system32\runsrv32.dll (ID = 343073)
7:15 PM: C:\WINDOWS\system32\wstart.dll (ID = 343078)
7:15 PM: C:\WINDOWS\alxtb1.dll (ID = 343068)
7:15 PM: C:\WINDOWS\ZServ.dll (ID = 343064)
7:15 PM: C:\WINDOWS\system32\txfdb32.dll (ID = 343076)
7:15 PM: C:\WINDOWS\dlmax.dll (ID = 343066)
7:15 PM: C:\WINDOWS\system32\questmod.dll (ID = 343074)
7:15 PM: C:\WINDOWS\system32\udpmod.dll (ID = 343077)
7:15 PM: C:\WINDOWS\system32\dailytoolbar.dll (ID = 343080)
7:15 PM: C:\WINDOWS\alexaie.dll (ID = 343070)
7:15 PM: C:\WINDOWS\alxie328.dll (ID = 343069)
7:15 PM: C:\WINDOWS\system32\alxres.dll (ID = 343081)
7:15 PM: C:\WINDOWS\system32\tcpservice2.exe (ID = 343079)
7:15 PM: C:\WINDOWS\susp.exe (ID = 343065)
7:15 PM: C:\WINDOWS\system32\jao.dll (ID = 343075)
7:15 PM: File Sweep Complete, Elapsed Time: 00:40:18
7:11 PM: Warning: Stream read error
7:10 PM: Warning: Failed to access drive H:
7:10 PM: Warning: Failed to access drive G:
7:05 PM: Spy Installation Shield: found: Adware: antispyware soldier fakealert, version 1.0.0.0
7:05 PM: Spy Installation Shield: found: Adware: antispyware soldier fakealert, version 1.0.0.0
7:05 PM: Spy Installation Shield: found: Adware: antispyware soldier fakealert, version 1.0.0.0
7:05 PM: Spy Installation Shield: found: Adware: antispyware soldier fakealert, version 1.0.0.0
7:05 PM: C:\WINDOWS\system32\qvgbqjjx.exe (ID = 375092)
7:04 PM: C:\WINDOWS\system32\image1.gif.exe (ID = 385647)
7:04 PM: C:\WINDOWS\system32\dsnispvu.exe (ID = 375092)
7:00 PM: C:\WINDOWS\system32\impjdbtx.exe (ID = 339932)
6:59 PM: C:\WINDOWS\system32\qpncykpx.exe (ID = 343217)
6:57 PM: C:\WINDOWS\system32\xwtqshbw.exe (ID = 339933)
6:48 PM: C:\WINDOWS\xxxvideo.hta (ID = 54659)
6:48 PM: Found Adware: coolwebsearch (cws)
6:41 PM: C:\WINDOWS\system32\cjkabani.exe (ID = 327609)
6:41 PM: C:\WINDOWS\system32\ddrqvmdj.exe (ID = 343217)
6:41 PM: C:\WINDOWS\system32\pmnpfkwc.exe (ID = 327058)
6:41 PM: Found Trojan Horse: trojan-backdoor-securemulti
6:41 PM: C:\WINDOWS\system32\ltciwssq.exe (ID = 327107)
6:41 PM: Found Trojan Horse: trojan-downloader-galapoper
6:41 PM: C:\WINDOWS\system32\wlflihqh.exe (ID = 328136)
6:41 PM: C:\WINDOWS\system32\jgekaqcx.exe (ID = 339932)
6:41 PM: C:\WINDOWS\system32\smartdrv.exe (ID = 337859)
6:34 PM: Starting File Sweep
6:34 PM: Warning: Failed to access drive A:
6:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:14
6:34 PM: c:\documents and settings\tom\cookies\tom@www.screensavers[2].txt (ID = 3298)
6:34 PM: c:\documents and settings\tom\cookies\tom@stat.dealtime[1].txt (ID = 2506)
6:34 PM: Found Spy Cookie: dealtime cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@sports.espn.go[2].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@sports-att.espn.go[1].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@servlet[2].txt (ID = 3345)
6:34 PM: c:\documents and settings\tom\cookies\tom@servlet[1].txt (ID = 3345)
6:34 PM: Found Spy Cookie: servlet cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@rsi.espn.go[1].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@r.espn.go[1].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@proxy.espn.go[1].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@pcsupport.about[1].txt (ID = 2038)
6:34 PM: c:\documents and settings\tom\cookies\tom@one-time-offer[2].txt (ID = 3095)
6:34 PM: Found Spy Cookie: one-time-offer cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@nextag[2].txt (ID = 5014)
6:34 PM: c:\documents and settings\tom\cookies\tom@my.espn.go[2].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@msnportal.112.2o7[1].txt (ID = 1958)
6:34 PM: c:\documents and settings\tom\cookies\tom@msn.espn.go[1].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@metareward[1].txt (ID = 2990)
6:34 PM: Found Spy Cookie: metareward.com cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@m.webtrends[1].txt (ID = 3669)
6:34 PM: Found Spy Cookie: webtrends cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@lm.espn.go[1].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@landscaping.about[1].txt (ID = 2038)
6:34 PM: c:\documents and settings\tom\cookies\tom@labmice.techtarget[2].txt (ID = 3500)
6:34 PM: Found Spy Cookie: techtarget cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@kount[1].txt (ID = 2911)
6:34 PM: Found Spy Cookie: kount cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@jp1.sb01[2].txt (ID = 3288)
6:34 PM: Found Spy Cookie: sb01 cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@insider.espn.go[2].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@ic-live[1].txt (ID = 2821)
6:34 PM: Found Spy Cookie: ic-live cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@howstuffworks[2].txt (ID = 2805)
6:34 PM: c:\documents and settings\tom\cookies\tom@homestore[2].txt (ID = 2793)
6:34 PM: c:\documents and settings\tom\cookies\tom@go[1].txt (ID = 2728)
6:34 PM: c:\documents and settings\tom\cookies\tom@golf.about[1].txt (ID = 2038)
6:34 PM: c:\documents and settings\tom\cookies\tom@games.espn.go[1].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@forums.espn.go[1].txt (ID = 2729)
6:34 PM: c:\documents and settings\tom\cookies\tom@espn.go[1].txt (ID = 2729)
6:34 PM: Found Spy Cookie: go.com cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@dist.belnk[2].txt (ID = 2293)
6:34 PM: c:\documents and settings\tom\cookies\tom@did-it[1].txt (ID = 2523)
6:34 PM: Found Spy Cookie: did-it cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@ct.360i[1].txt (ID = 1962)
6:34 PM: Found Spy Cookie: 360i cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@computer.howstuffworks[2].txt (ID = 2806)
6:34 PM: Found Spy Cookie: howstuffworks cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@columbiahouse[1].txt (ID = 2443)
6:34 PM: c:\documents and settings\tom\cookies\tom@casinogambling.about[1].txt (ID = 2038)
6:34 PM: Found Spy Cookie: about cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@bizrate[2].txt (ID = 2308)
6:34 PM: Found Spy Cookie: bizrate cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@belnk[1].txt (ID = 2292)
6:34 PM: c:\documents and settings\tom\cookies\tom@ads.gorillanation[1].txt (ID = 2744)
6:34 PM: Found Spy Cookie: gorillanation cookie
6:34 PM: c:\documents and settings\tom\cookies\tom@adq.nextag[1].txt (ID = 5015)
6:34 PM: c:\documents and settings\pat\cookies\pat@www.screensavers[2].txt (ID = 3298)
6:34 PM: Found Spy Cookie: screensavers.com cookie
6:34 PM: c:\documents and settings\pat\cookies\pat@e.rn11[2].txt (ID = 3262)
6:34 PM: Found Spy Cookie: rn11 cookie
6:34 PM: c:\documents and settings\pat\cookies\pat@dist.belnk[2].txt (ID = 2293)
6:34 PM: c:\documents and settings\pat\cookies\pat@belnk[1].txt (ID = 2292)
6:34 PM: c:\documents and settings\pat\cookies\pat@banners[1].txt (ID = 2282)
6:34 PM: Found Spy Cookie: banners cookie
6:34 PM: c:\documents and settings\pat\cookies\pat@atwola[1].txt (ID = 2255)
6:34 PM: c:\documents and settings\pat\cookies\pat@ask[1].txt (ID = 2245)
6:34 PM: Found Spy Cookie: ask cookie
6:34 PM: c:\documents and settings\pat\cookies\pat@ads.cc214142[2].txt (ID = 2367)
6:34 PM: Found Spy Cookie: cc214142 cookie
6:34 PM: c:\documents and settings\pat\cookies\pat@adknowledge[1].txt (ID = 2072)
6:34 PM: c:\documents and settings\pat\cookies\pat@ad.yieldmanager[2].txt (ID = 3751)
6:34 PM: c:\documents and settings\karen\cookies\karen@www.burstnet[2].txt (ID = 2337)
6:34 PM: c:\documents and settings\karen\cookies\karen@www.burstbeacon[1].txt (ID = 2335)
6:34 PM: Found Spy Cookie: burstbeacon cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@nextag[2].txt (ID = 5014)
6:34 PM: Found Spy Cookie: nextag cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@msnportal.112.2o7[1].txt (ID = 1958)
6:34 PM: Found Spy Cookie: 2o7.net cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@media.homestore[1].txt (ID = 2794)
6:34 PM: c:\documents and settings\karen\cookies\karen@homestore[1].txt (ID = 2793)
6:34 PM: Found Spy Cookie: homestore cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@dist.belnk[2].txt (ID = 2293)
6:34 PM: c:\documents and settings\karen\cookies\karen@data2.perf.overture[2].txt (ID = 3106)
6:34 PM: Found Spy Cookie: overture cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@columbiahouse[2].txt (ID = 2443)
6:34 PM: Found Spy Cookie: columbiahouse cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@burstnet[1].txt (ID = 2336)
6:34 PM: Found Spy Cookie: burstnet cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@belnk[1].txt (ID = 2292)
6:34 PM: Found Spy Cookie: belnk cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@atwola[1].txt (ID = 2255)
6:34 PM: Found Spy Cookie: atwola cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@adopt.specificclick[1].txt (ID = 3400)
6:34 PM: Found Spy Cookie: specificclick.com cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@adknowledge[2].txt (ID = 2072)
6:34 PM: Found Spy Cookie: adknowledge cookie
6:34 PM: c:\documents and settings\karen\cookies\karen@ad.yieldmanager[2].txt (ID = 3751)
6:34 PM: Found Spy Cookie: yieldmanager cookie
6:34 PM: Starting Cookie Sweep
6:34 PM: Registry Sweep Complete, Elapsed Time:00:01:16
6:34 PM: HKU\S-1-5-21-746137067-1614895754-1177238915-1004\software\microsoft\windows\currentversion\ext\stats\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5}\ (ID = 1711978)
6:34 PM: HKU\S-1-5-21-746137067-1614895754-1177238915-1004\software\microsoft\windows\currentversion\ext\stats\{202a961f-23ae-42b1-9505-ffe3c818d717}\ (ID = 1711973)
6:33 PM: HKU\WRSS_Profile_S-1-5-21-746137067-1614895754-1177238915-1008\software\microsoft\windows\currentversion\ext\stats\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5}\ (ID = 1711978)
6:33 PM: HKU\WRSS_Profile_S-1-5-21-746137067-1614895754-1177238915-1008\software\microsoft\windows\currentversion\ext\stats\{202a961f-23ae-42b1-9505-ffe3c818d717}\ (ID = 1711973)
6:33 PM: Found Trojan Horse: trojan-downloader-zlob
6:33 PM: HKU\WRSS_Profile_S-1-5-21-746137067-1614895754-1177238915-1008\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}\ (ID = 1706707)
6:33 PM: Found Adware: bravesentry fakealert
6:33 PM: HKCR\appid\wstart.dll\ (ID = 1606702)
6:33 PM: Found Adware: fakealert fake infection
6:33 PM: HKLM\software\classes\typelib\{8b076501-1d1b-4b26-9492-fdb8eee00d7f}\ (ID = 1589468)
6:33 PM: HKLM\software\classes\office_pnl.office_panel\ (ID = 1589464)
6:33 PM: HKCR\typelib\{8b076501-1d1b-4b26-9492-fdb8eee00d7f}\ (ID = 1589441)
6:33 PM: HKCR\office_pnl.office_panel\ (ID = 1589437)
6:33 PM: HKLM\software\classes\clsid\{b53455db-5527-4041-ac41-f86e6947aa47}\ (ID = 1578081)
6:33 PM: HKCR\clsid\{b53455db-5527-4041-ac41-f86e6947aa47}\ (ID = 1578080)
6:33 PM: HKLM\software\classes\url_relpacer.urlresolver\ (ID = 1224209)
6:33 PM: HKCR\url_relpacer.urlresolver\ (ID = 1224196)
6:33 PM: Found Adware: adwaresheriff fakealert
6:33 PM: HKLM\software\microsoft\active setup\installed components\{y479c6d0-otrw-u5gh-s1ee-e0ac10b4e666}\ (ID = 937390)
6:33 PM: Found Adware: antispyware soldier fakealert
6:33 PM: HKCR\wstart.whttphelper\ (ID = 144911)
6:33 PM: HKCR\wstart.whttphelper.1\ (ID = 144910)
6:33 PM: HKLM\software\wsoft\ (ID = 144909)
6:33 PM: HKLM\software\classes\wstart.whttphelper\ (ID = 144907)
6:33 PM: HKLM\software\classes\wstart.whttphelper.1\ (ID = 144906)
6:33 PM: HKLM\software\classes\clsid\{9896231a-c487-43a5-8369-6ec9b0a96cc0}\ (ID = 144905)
6:33 PM: HKLM\software\classes\appid\{f6bdb4e5-d6aa-4d1f-8b67-bcb0f2246e21}\ (ID = 144904)
6:33 PM: HKLM\software\classes\appid\wstart.dll\ (ID = 144903)
6:33 PM: HKCR\clsid\{9896231a-c487-43a5-8369-6ec9b0a96cc0}\ (ID = 144902)
6:33 PM: HKCR\appid\{f6bdb4e5-d6aa-4d1f-8b67-bcb0f2246e21}\ (ID = 144901)
6:33 PM: HKCR\appid\wstart.dll\ (ID = 144900)
6:33 PM: Found Trojan Horse: trojan-downloader-wstart
6:33 PM: HKLM\software\classes\ietoolbar.affiliatectl\ (ID = 124593)
6:33 PM: HKLM\software\classes\dailytoolbar.sysmgr\ (ID = 124592)
6:33 PM: HKLM\software\classes\dailytoolbar.ieband\ (ID = 124590)
6:33 PM: HKCR\ietoolbar.affiliatectl\ (ID = 124565)
6:33 PM: HKCR\dailytoolbar.sysmgr\ (ID = 124564)
6:33 PM: HKCR\dailytoolbar.ieband\ (ID = 124562)
6:33 PM: Found Adware: daily toolbar
6:33 PM: HKLM\software\classes\bridge.brdg\ (ID = 104468)
6:33 PM: HKCR\jao.jao\ (ID = 104463)
6:33 PM: HKCR\bridge.brdg\ (ID = 104437)
6:33 PM: Found Adware: blazefind
6:32 PM: Starting Registry Sweep
6:32 PM: Memory Sweep Complete, Elapsed Time: 00:02:54
6:30 PM: Starting Memory Sweep
6:29 PM: HKCR\clsid\{b53455db-5527-4041-ac41-f86e6947aa47}\inprocserver32\ (ID = 1578082)
6:29 PM: Found Adware: cashdeluxe
6:29 PM: Start Full Sweep
6:29 PM: Sweep initiated using definitions version 790
6:29 PM: Spy Sweeper 5.2.3.2125 started
6:29 PM: | Start of Session, Sunday, November 12, 2006 |
********
SmitFraudFix v2.120

Scan done at 18:01:54.90, Mon 11/13/2006
Run from C:\Documents and Settings\Tom\My Documents\Unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\accesss.exe FOUND !
C:\WINDOWS\astctl32.ocx FOUND !
C:\WINDOWS\clrssn.exe FOUND !
C:\WINDOWS\cpan.dll FOUND !
C:\WINDOWS\dialup.exe FOUND !
C:\WINDOWS\inetdctr.dll FOUND !
C:\WINDOWS\infected.gif FOUND !
C:\WINDOWS\olehelp.exe FOUND !
C:\WINDOWS\runwin32.exe FOUND !
C:\WINDOWS\spp3.dll FOUND !
C:\WINDOWS\systeem.exe FOUND !
C:\WINDOWS\systemcritical.exe FOUND !
C:\WINDOWS\time.exe FOUND !
C:\WINDOWS\users32.exe FOUND !
C:\WINDOWS\waol.exe FOUND !
C:\WINDOWS\win_logo.gif FOUND !
C:\WINDOWS\win32e.exe FOUND !
C:\WINDOWS\win64.exe FOUND !
C:\WINDOWS\winajbm.dll FOUND !
C:\WINDOWS\window.exe FOUND !
C:\WINDOWS\wininet32.exe FOUND !
C:\WINDOWS\winmgnt.exe FOUND !
C:\WINDOWS\x.exe FOUND !
C:\WINDOWS\xplugin.dll FOUND !
C:\WINDOWS\y.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ace16win.dll FOUND !
C:\WINDOWS\system32\anti_troj.exe FOUND !
C:\WINDOWS\system32\dload.exe FOUND !
C:\WINDOWS\system32\iewd.exe FOUND !
C:\WINDOWS\system32\kernels64.exe FOUND !
C:\WINDOWS\system32\lfd.dat FOUND !
C:\WINDOWS\system32\mpsegment.exe FOUND !
C:\WINDOWS\system32\msmapi32.exe.MANIFEST FOUND !
C:\WINDOWS\system32\mshtml32.tdb FOUND !
C:\WINDOWS\system32\msmsn.exe FOUND !
C:\WINDOWS\system32\netstat2.exe FOUND !
C:\WINDOWS\system32\oiso.bin FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\pcf.pdf FOUND !
C:\WINDOWS\system32\perfont.exe FOUND !
C:\WINDOWS\system32\POPCORN72.EXE FOUND !
C:\WINDOWS\system32\proqlaim.exe FOUND !
C:\WINDOWS\system32\smaexp32.dll FOUND !
C:\WINDOWS\system32\taskdir~.exe FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\win32hp.dll FOUND !
C:\WINDOWS\system32\winmuse.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tom


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tom\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#7 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 14 November 2006 - 11:13 AM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#8 tmcdonoug100

tmcdonoug100
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 14 November 2006 - 04:37 PM

the following are the smitfraud log file after running in safe mode and a new hyjack this log file after rebooting into normal mode. smitfraud : I cleaned infected files and smitfraud displayed
killing process.....
generic renos fix....
deleting infected files....
deleting temp files....
File not found C:\docume~1\admin~1\locals~1\temp\*.*
Then I prompted it to clean registry and rebooted. Still no internet connection but no popups:

SmitFraudFix v2.120

Scan done at 15:57:11.07, Tue 11/14/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\accesss.exe Deleted
C:\WINDOWS\astctl32.ocx Deleted
C:\WINDOWS\clrssn.exe Deleted
C:\WINDOWS\cpan.dll Deleted
C:\WINDOWS\dialup.exe Deleted
C:\WINDOWS\inetdctr.dll Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\olehelp.exe Deleted
C:\WINDOWS\runwin32.exe Deleted
C:\WINDOWS\spp3.dll Deleted
C:\WINDOWS\systeem.exe Deleted
C:\WINDOWS\systemcritical.exe Deleted
C:\WINDOWS\time.exe Deleted
C:\WINDOWS\users32.exe Deleted
C:\WINDOWS\waol.exe Deleted
C:\WINDOWS\win_logo.gif Deleted
C:\WINDOWS\win32e.exe Deleted
C:\WINDOWS\win64.exe Deleted
C:\WINDOWS\winajbm.dll Deleted
C:\WINDOWS\window.exe Deleted
C:\WINDOWS\wininet32.exe Deleted
C:\WINDOWS\winmgnt.exe Deleted
C:\WINDOWS\x.exe Deleted
C:\WINDOWS\xplugin.dll Deleted
C:\WINDOWS\y.exe Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\anti_troj.exe Deleted
C:\WINDOWS\system32\dload.exe Deleted
C:\WINDOWS\system32\iewd.exe Deleted
C:\WINDOWS\system32\kernels64.exe Deleted
C:\WINDOWS\system32\lfd.dat Deleted
C:\WINDOWS\system32\mpsegment.exe Deleted
C:\WINDOWS\system32\msmapi32.exe.MANIFEST Deleted
C:\WINDOWS\system32\mshtml32.tdb Deleted
C:\WINDOWS\system32\msmsn.exe Deleted
C:\WINDOWS\system32\netstat2.exe Deleted
C:\WINDOWS\system32\oiso.bin Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\pcf.pdf Deleted
C:\WINDOWS\system32\perfont.exe Deleted
C:\WINDOWS\system32\POPCORN72.EXE Deleted
C:\WINDOWS\system32\proqlaim.exe Deleted
C:\WINDOWS\system32\smaexp32.dll Deleted
C:\WINDOWS\system32\taskdir~.exe Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\win32hp.dll Deleted
C:\WINDOWS\system32\winmuse.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

SmitFraudFix v2.120

Scan done at 15:57:11.07, Tue 11/14/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\accesss.exe Deleted
C:\WINDOWS\astctl32.ocx Deleted
C:\WINDOWS\clrssn.exe Deleted
C:\WINDOWS\cpan.dll Deleted
C:\WINDOWS\dialup.exe Deleted
C:\WINDOWS\inetdctr.dll Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\olehelp.exe Deleted
C:\WINDOWS\runwin32.exe Deleted
C:\WINDOWS\spp3.dll Deleted
C:\WINDOWS\systeem.exe Deleted
C:\WINDOWS\systemcritical.exe Deleted
C:\WINDOWS\time.exe Deleted
C:\WINDOWS\users32.exe Deleted
C:\WINDOWS\waol.exe Deleted
C:\WINDOWS\win_logo.gif Deleted
C:\WINDOWS\win32e.exe Deleted
C:\WINDOWS\win64.exe Deleted
C:\WINDOWS\winajbm.dll Deleted
C:\WINDOWS\window.exe Deleted
C:\WINDOWS\wininet32.exe Deleted
C:\WINDOWS\winmgnt.exe Deleted
C:\WINDOWS\x.exe Deleted
C:\WINDOWS\xplugin.dll Deleted
C:\WINDOWS\y.exe Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\anti_troj.exe Deleted
C:\WINDOWS\system32\dload.exe Deleted
C:\WINDOWS\system32\iewd.exe Deleted
C:\WINDOWS\system32\kernels64.exe Deleted
C:\WINDOWS\system32\lfd.dat Deleted
C:\WINDOWS\system32\mpsegment.exe Deleted
C:\WINDOWS\system32\msmapi32.exe.MANIFEST Deleted
C:\WINDOWS\system32\mshtml32.tdb Deleted
C:\WINDOWS\system32\msmsn.exe Deleted
C:\WINDOWS\system32\netstat2.exe Deleted
C:\WINDOWS\system32\oiso.bin Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\pcf.pdf Deleted
C:\WINDOWS\system32\perfont.exe Deleted
C:\WINDOWS\system32\POPCORN72.EXE Deleted
C:\WINDOWS\system32\proqlaim.exe Deleted
C:\WINDOWS\system32\smaexp32.dll Deleted
C:\WINDOWS\system32\taskdir~.exe Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\win32hp.dll Deleted
C:\WINDOWS\system32\winmuse.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 4:08:16 PM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Tom\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} (Seagate DiscWizard English) - http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#9 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 14 November 2006 - 05:04 PM

Add remove programs - remove Viewpoint


Run this

http://www.snapfiles.com/get/winsockxpfix.html
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#10 tmcdonoug100

tmcdonoug100
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 20 November 2006 - 06:14 AM

Thank You MFDnSC Your help was greatly appreciated, I still had problems after we removed all of the malware and trojans. The computer was running extremely slow but at least I had the internet back and could go to the various sites to get updates, once everything was updated I went to sites that offered free online registry scans and they found alot of problems in the registry that were cleaned up with the online scanners little by little. The computer is now running as fast as ever and no pop ups.

#11 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 20 November 2006 - 11:37 AM

Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users