Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
22 replies to this topic

#1 Anonymousone

Anonymousone

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:10:53 AM

Posted 04 December 2006 - 10:18 PM

If I open IE or Movie Maker my computer reboots.

I can't do System Restore or go into Safe Mode. When I do System Restore it simply tells me it has failed and to try again (I do, no different outcome). I tap F8 when my computer starts and it asks me what OS system I use, I highlight the correct one and press Enter. It asks me to do Safe Mode, I click Enter and a bunch of files show up too quick for me to copy, and it stops.

Java apps. have been closing when I open them.. I've dealt with that before, but it looks like a different problem this time. I can't even update my Java. (online installer) http://img247.imageshack.us/img247/1964/spyware5ld7.jpg

Random restarting..

I've noticed my computer reboots during certain parts of a virus scan.

Often when I log in a box pops up with "A system registry file had to be restored by use of a log or alternate copy. The recovery was successful"

My bookmarks in Firefox have been cleared for some reason, too. I just hope when I get IE to work they're still there.

I had to do the scan in normal mode since I can't get into safe.

I never had the IE or random rebooting problem until I tried some things to get rid of spyware. I installed Smitfraud Fix and tried to run it in Safe Mode, but when I ran the .cmd command prompt said "'find' is not recognized as an internal command or external command, operable program or a batch file.." and closed quickly. I tried it again.. still didn't work. I decided to do a System Restore in Safe Mode, and now I can't go back in Safe Mode and I have all these other problems.

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:58:34 PM, on 12/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://our.gametalk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.16.81.130:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113609515468
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137996617406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B756B574-CF2C-4CEB-A275-C0C08C96D909}: NameServer = 68.183.127.103 66.51.206.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

Edited by Anonymousone, 05 December 2006 - 10:46 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 14 December 2006 - 10:45 PM

Hello Anonymousone,

I am SifuMike and I will be helping you. :thumbsup:

Download FIXPATH2.ZIP.
http://internet.cybermesa.com/~bstewart/files/fixpath2.zip

Extract the files to a folder in C:\, like C:\FIXPATH2.

RUNNING THE PROGRAM:

* Open a command prompt window by going to start > run and copy and type: cmd
In the command prompt, type: cd C:\

So you should get C:\>

Then type: cd FIXPATH2

So you should get: C:\>fixpath2

Then type: FIXPATH.EXE
* It will display some preliminary information, and ask if it should continue and check for errors. Click Yes.
* If it successfully updates the Path value in the registry, you will need to reboot for the change to take effect. !! This is really important !!

Reboot

Download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by SifuMike, 14 December 2006 - 10:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Anonymousone

Anonymousone
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:10:53 AM

Posted 15 December 2006 - 04:02 AM

Thank you so much for your reply, I use my computer often and it's been hell dealing with these problems this past week and a half.

Here's the SmitFraud report:

SmitFraudFix v2.130

Scan done at 0:55:23.82, Fri 12/15/2006
Run from C:\Documents and Settings\Tia\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Tia


C:\Documents and Settings\Tia\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\Tia\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 15 December 2006 - 11:15 AM

Hi Anonymousone,

Your computer is quite a mess, so this will take a a few steps.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Anonymousone

Anonymousone
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:10:53 AM

Posted 15 December 2006 - 05:46 PM

I can't do System Restore or go into Safe Mode. When I do System Restore it simply tells me it has failed and to try again (I do, no different outcome). I tap F8 when my computer starts and it asks me what OS system I use, I highlight the correct one and press Enter. It asks me to do Safe Mode, I click Enter and a bunch of files show up too quick for me to copy, and it stops.


I still can't get into Safe Mode. Is it okay to do the steps in normal mode?

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 15 December 2006 - 07:12 PM

yes, do it in the normal mode.



I need you to rename Hijackthis because I believe that you may have an infection that can hide some entries in your log.
  • Please go to the folder where you saved Hijackthis.exe:
    < insert path to Hijackthis >
  • Right-click on it, then select Rename.
  • Name it something like: AnalyzeThis.exe (or whatever you want)
  • Then double-click AnalyzeThis.exe to scan and then post the new Hijackthis log and the Smitfraudfix log.
Do you have your Windows Installation CD that came with your computer?

Edited by SifuMike, 15 December 2006 - 07:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Anonymousone

Anonymousone
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:10:53 AM

Posted 15 December 2006 - 07:39 PM

I'd have to look around for the CD, I'm not sure. But if it's because I may have missing files I can use my friends.

Here's the new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 4:32:15 PM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Thing.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.16.81.130:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113609515468
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137996617406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B756B574-CF2C-4CEB-A275-C0C08C96D909}: NameServer = 68.183.127.103 66.51.206.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

About the SmitFraud report.. I ran it/did the fix and it froze up my computer when the text file opened. I rebooted and checked c:\rapport and nothing was there, so I did it again and it worked. Hopefully that didn't change any outcome of the log..

SmitFraudFix v2.130

Scan done at 16:26:27.17, Fri 12/15/2006
Run from C:\Documents and Settings\Tia\Desktop\Fix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Edited by Anonymousone, 15 December 2006 - 07:42 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 15 December 2006 - 07:46 PM

Hi,

SmitFraud report is not what I expected. :thumbsup:

It should have deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url


Did you run it twice by accident?

Never mind, now I see that you ran it twice. :flowers:

Do a file search and see if C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url

are still there?


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Notes:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 15 December 2006 - 07:48 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Anonymousone

Anonymousone
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:10:53 AM

Posted 15 December 2006 - 07:57 PM

Those files are gone now, here's the ComboFix log:

Tia - 06-12-15 16:50:34.42 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Tia\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-15 to 2006-12-15 ))))))))))))))))))))))))))))))))))


2006-12-15 00:55 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-15 00:55 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-15 00:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-15 00:55 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-15 00:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-15 00:55 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-15 00:55 1,754 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-15 00:45 <DIR> d-------- C:\fixpath2
2006-12-04 21:18 <DIR> d-------- C:\WINDOWS\WBEM
2006-12-04 21:17 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-04 21:17 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-12-04 21:16 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-04 21:15 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-04 16:10 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-04 16:10 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-04 15:15 <DIR> d-------- C:\Program Files\Hijackthis
2006-12-04 11:47 <DIR> d-------- C:\Program Files\BPK
2006-12-04 09:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-03 06:08 <DIR> d-------- C:\Program Files\NetSupport Manager
2006-11-30 02:39 <DIR> d-------- C:\Program Files\DataApples
2006-11-29 22:49 <DIR> d-------- C:\Program Files\No-IP
2006-11-29 22:10 <DIR> d-------- C:\Program Files\NetworkActiv Web Server 3.5
2006-11-28 06:21 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
2006-11-28 06:21 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0
2006-11-28 06:21 <DIR> d-------- C:\Documents and Settings\Tia\Application Data\SmartFTP
2006-11-27 07:43 <DIR> d-------- C:\Documents and Settings\Tia\Application Data\OfficeUpdate12
2006-11-27 04:31 <DIR> d-------- C:\Program Files\Accessories
2006-11-26 12:48 <DIR> d-------- C:\Program Files\Easy Icon Maker
2006-11-26 06:12 <DIR> d-------- C:\Program Files\WinZip
2006-11-26 06:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2006-11-26 01:19 <DIR> d-------- C:\Documents and Settings\Tia\.otrproxy
2006-11-26 01:16 <DIR> d-------- C:\Program Files\otrproxy
2006-11-17 18:40 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-15 16:49 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-15 16:18 -------- d-------- C:\Program Files\mIRC
2006-12-15 16:17 -------- d-------- C:\Program Files\SwiftSwitch
2006-12-15 01:58 -------- d-------- C:\Program Files\Outlook Express
2006-12-14 20:42 -------- d-------- C:\Program Files\WinRAR
2006-12-14 20:42 -------- d-------- C:\Documents and Settings\Tia\Application Data\Help
2006-12-13 21:27 -------- d-------- C:\Program Files\ShortKeys2
2006-12-06 22:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-05 07:38 -------- d-------- C:\Program Files\Java
2006-12-04 21:22 -------- d-------- C:\Program Files\Internet Explorer
2006-12-04 18:34 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-04 16:10 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-04 16:10 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-04 16:10 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-04 16:10 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-27 07:20 -------- d---s---- C:\Documents and Settings\Tia\Application Data\Microsoft
2006-11-27 06:24 833746 --a------ C:\Program Files\oldrstakes.jpg
2006-11-07 21:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-19 05:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"SMSERIAL"="sm56hlpr.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"PCTVOICE"="pctspk.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-15 16:51:48.62
C:\ComboFix.txt ... 06-12-15 16:51
C:\ComboFix2.txt ... 06-12-15 16:46

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 15 December 2006 - 08:24 PM

I am not seeing anything in the ComboFix log. :thumbsup:

Let's run Microsoft's System File Checker program.

Scannow Tutorial
http://www.updatexp.com/scannow-sfc.html

You may need the Windows Install CD, so have it ready.
Go to Start, then Run, type sfc /scannow in the run box and press enter.

Note: There is a space between sfc and the forward slash. Windows will ask you for your Windows Install CD so put it in...don't worry if the XP setup screen appears, this is
not a part of sfc /scannow, your autorun utility in Windows is starting it. Simply
minimize the screen and allow sfc to continue.

After you run it, see if you can get into Safe Mode.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Anonymousone

Anonymousone
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:10:53 AM

Posted 15 December 2006 - 08:45 PM

I ran the checker and it closed when it finished without asking for any CD, I'm going to try Safe Mode now.

Safe Mode works. The black screen with a bunch of files still comes up, but this time they go away within a few seconds and it lets me work in Safe Mode like normal.

Edited by Anonymousone, 15 December 2006 - 09:23 PM.


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 15 December 2006 - 10:17 PM

Hi Anonymousone,

Safe Mode works.


That is great news. :thumbsup: Sounds like you had a damaged system file.

The black screen with a bunch of files still comes up, but this time they go away within a few seconds and it lets me work in Safe Mode like normal.


Can you do a screen print of what it says and post it?

How is your computer running? What problems are you seeing?


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously.

Edited by SifuMike, 15 December 2006 - 10:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Anonymousone

Anonymousone
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:10:53 AM

Posted 15 December 2006 - 11:00 PM

Dr.Web is recognizing mIRC, process.exe, and restart.exe as viruses. mIRC isn't a virus and I'm afraid to delete process.exe and restart.exe. Should I? Still finishing the scan now.

Can you do a screen print of what it says and post it?


I can't do a print screen, it's before I log in to my account. I have a digital cam tho, I can try to get a picture of it before it disappears.

How is your computer running? What problems are you seeing?


My computer rebooted itself once when I tried to log in. I'll see if IE works after the Dr.Web scan is finished.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 15 December 2006 - 11:04 PM

Dr.Web is recognizing mIRC, process.exe, and restart.exe as viruses. mIRC isn't a virus and I'm afraid to delete process.exe and restart.exe. Should I? Still finishing the scan now.


Dont delete any of them. Process.exe is from Smitfruadfix. Not sure about restart.exe but we can research that later. restart.exe is a process associated with F-Secure antivirus from F-Secure, but we need to know the complete file path to do more research on it.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Edited by SifuMike, 15 December 2006 - 11:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Anonymousone

Anonymousone
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:10:53 AM

Posted 16 December 2006 - 12:43 AM

I went through and manually deleted & moved all but mIRC/process/restart, but it seemed to delete them anyways. No damage done though, still have all my mIRC scripts & the install .exe to SmitFraud.

mirc.exe;c:\program files\mirc;Program.mIRC.616;;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.6.1;Probably BACKDOOR.Trojan;Deleted.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.71.1;Probably BACKDOOR.Trojan;Deleted.;
Dummy.class-7e4442f4-715496a7.class;C:\Documents and Settings\Tia\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file;Trojan.NoCheat.240;Deleted.;
Process.exe;C:\Documents and Settings\Tia\Desktop\Fix\SmitfraudFix;Tool.Prockill;Deleted.;
restart.exe;C:\Documents and Settings\Tia\Desktop\Fix\SmitfraudFix;Tool.ShutDown.11;Deleted.;
Process.exe;C:\Documents and Settings\Tia\Desktop\Fix\SmitfraudFix\SmitfraudFix;Tool.Prockill;Deleted.;
restart.exe;C:\Documents and Settings\Tia\Desktop\Fix\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;Deleted.;
Armored Room Crack.exe;C:\Documents and Settings\Tia\Desktop\Progs\ArmoredCrack;Probably BACKDOOR.Trojan;Deleted.;
Timeline.exe;C:\Documents and Settings\Tia\Desktop\Progs\timeline\timeline;Probably BACKDOOR.Trojan;Deleted.;
ilovespaceun.exe;C:\Program Files\BPK;Trojan.Peflog.48;Deleted.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Deleted.;
A0254719.sys;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP172;Program.Powerkeylog;Deleted.;
A0254721.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP172;Program.Powerkeylog;Deleted.;
A0254762.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0255755.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0255785.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0255799.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0255858.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0255872.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0257873.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0258870.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0259869.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0260870.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0260871.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Probably BACKDOOR.Trojan;Deleted.;
A0261868.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0261875.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0261924.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0261930.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0261941.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Probably BACKDOOR.Trojan;Deleted.;
A0261959.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0261997.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0262036.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0262058.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0262086.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0262105.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0262108.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0262145.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP173;Trojan.WinSpy;Deleted.;
A0262173.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP174;Trojan.WinSpy;Deleted.;
A0262182.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP174;Trojan.Peflog.48;Deleted.;
A0262200.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP174;Trojan.WinSpy;Deleted.;
A0262215.exe\data001;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP174\A0262215.exe;Probably BACKDOOR.PWS.Trojan;;
A0262215.exe\data002;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP174\A0262215.exe;BackDoor.Pigeon.290;;
A0262215.exe\data003;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP174\A0262215.exe;BackDoor.Pigeon.290;;
A0262215.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP174;Archive contains infected objects;Moved.;
A0263290.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP179;Trojan.WinSpy;Deleted.;
A0265295.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP179;Trojan.WinSpy;Deleted.;
A0265364.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP179;Trojan.WinSpy;Deleted.;
A0265382.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP179;Trojan.WinSpy;Deleted.;
A0265453.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP179;Trojan.WinSpy;Deleted.;
A0265470.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0265534.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Tool.ShutDown.11;Deleted.;
A0265536.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Tool.Prockill;Deleted.;
A0265819.exe\data001;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180\A0265819.exe;Probably BACKDOOR.PWS.Trojan;;
A0265819.exe\data002;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180\A0265819.exe;BackDoor.Pigeon.290;;
A0265819.exe\data003;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180\A0265819.exe;BackDoor.Pigeon.290;;
A0265819.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Archive contains infected objects;Moved.;
A0265879.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Probably BACKDOOR.Trojan;Deleted.;
A0265882.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0265887.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0265908.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0265912.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0265923.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0265931.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0265974.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0265976.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0265987.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0266104.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Trojan.WinSpy;Deleted.;
A0266126.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0266131.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP180;BackDoor.Generic.1198;Deleted.;
A0266189.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP181;Trojan.WinSpy;Deleted.;
A0341437.exe;C:\System Volume Information\_restore{CCEB12D6-04B7-47CF-9986-65894874A813}\RP184;Trojan.Peflog.48;Deleted.;
NTInvisible.dll;C:\WINDOWS\system32;Program.SpyAgent;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Deleted.;

Here's the files that show up:
http://img256.imageshack.us/img256/7403/safemodedx9.jpg
http://img183.imageshack.us/img183/879/safemode2jl8.jpg

IE still reboots my computer.

Edited by Anonymousone, 16 December 2006 - 12:49 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users