Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Sending Spam Mail After Website Visit


  • This topic is locked This topic is locked
31 replies to this topic

#1 kcastle

kcastle

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 30 December 2006 - 11:06 PM

A couple of days ago I visited a website that was less than nice to my pc. Norton Internet Security was installed but apparently it waltzed around that with little problem. Norton immediately began opening outgoing email scanning popup after popup (50-60) telling me that my email had been identified as spam and rejected. I wasn't even sending email at the time and none of the email shows up in my sent folder in outlook express. I guess it set up a mail server on my system???. Since then I have followed as much of the malware removal steps as possible. I have ran the following with these results:

Norton Internet Security - finds nothing
AdAware SE - finds nothing
SpyBot S&D - finds nothing
AVG - finds nothing
HouseCall - created the following log file
Panda - found atdmt cookie (but I didn't opt to pay for Panda to fix it for me)
CCleaner - found and deleted temp files
McAfee Stinger - finds nothing
Using the firewall from AVG

The "scanning popups" from Norton have stopped but I still don't have a warm fuzzy that all is well. I feel that this is about as far as I can without asking for help. Here is my PandaScan, HijackThis and ComboFix log files, respectively. Am I good or is there still work to be done?



#Housecall Local Client Configuration
#Thu Dec 28 07:46:01 2006
scanned.engine.type=main,main,system,system
infectivethreats.class=grayware,grayware,grayware,grayware
domain=housecall65.trendmicro.com
infectivethreats.failed.amount=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
infectivethreats.failed.reason=0
infectivethreats.removed=1,1,1,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,30,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
vulnerabilities=MS04-038,MS04-041,MS04-043,MS04-044,MS05-001,MS05-007,MS05-008,MS05-009,MS05-011,MS05-012,MS05-013,MS05-014,MS05-015,MS05-016,MS05-018,MS05-019,MS05-020,MS05-025,MS05-026,MS05-027,MS05-032,MS05-033,MS05-036,MS05-037,MS05-038,MS05-039,MS05-040,MS05-041,MS05-042,MS05-043,MS05-045,MS05-046,MS05-047,MS05-048,MS05-049,MS05-050,MS05-051,MS05-052,MS05-053,MS05-054,MS06-001,MS06-002,MS06-005,MS06-006,MS06-007,MS06-008,MS06-013,MS06-014,MS06-015,MS06-016,MS06-018,MS06-021,MS06-022,MS06-023,MS06-025,MS06-030,MS06-032,MS06-035,MS06-036,MS06-040,MS06-041,MS06-042,MS06-043,MS06-045,MS06-046,MS06-050,MS06-051,MS06-052,MS06-053,MS06-055,MS06-057,MS06-061,MS06-063,MS06-064,MS06-065,MS06-066,MS06-067,MS06-068,MS06-070,MS06-072,MS06-075
scanned.pattern.type=grayware,malware,system.grayware,vulnerability.software
vulnerabilities.type=software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software,software
scanned.count=0,176850,54944,270
infectivethreats.failed=false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true,true
infectivethreats=COOKIE_ASK,COOKIE_2O7,ADWARE_XLOCATOR,ADWARE_ABETTERINTERNET
implementation=html/native/x86/win32/activex/x86/win32/
scanned.engine.version=831001002,0,0,398001012
created=2006-12-28 12\:46\:00 GMT
infectivethreats.amount=1,1,1,30
send.attempts=0
infectivethreats.type=
scanned.pattern.version=44300,0,44900,5900

Logfile of HijackThis v1.99.1
Scan saved at 10:36:15 PM, on 12/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
d:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
d:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\devldr32.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
d:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\services.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
D:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laurencastle.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NppBHOObj Class - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9ABC0891-3491-4E8C-B4FE-ACB12D6824C8} (ICImageView.ICTiffViewer) - http://www.realtyeyes.com/Pro/tools/TIFFVi...ICImageView.CAB
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CD7C1008-F082-4FF6-885E-3209417E2019} (ICMTRMLS.ICSystemID) - http://www.realtyeyes.com/Pro/cabs/ICMTRMLS.CAB
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe





The Castles - 06-12-30 22:32:21.53 Service Pack 2
ComboFix 06.11.27 - Running from: "D:\puter\antivir"

((((((((((((((((((((((((((((((( Files Created from 2006-11-30 to 2006-12-30 ))))))))))))))))))))))))))))))))))


2006-12-30 22:31 36,864 --a------ C:\WINDOWS\system32\main.sys
2006-12-30 13:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2006-12-30 08:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-29 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-29 20:47 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-29 20:47 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-29 20:47 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-29 20:47 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-29 20:47 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-29 20:47 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2006-12-29 20:47 <DIR> d-------- C:\Program Files\Grisoft
2006-12-29 20:47 <DIR> d-------- C:\Documents and Settings\The Castles\Application Data\AVG7
2006-12-29 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-29 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-29 20:45 <DIR> dr-h----- C:\Documents and Settings\The Castles\Recent
2006-12-28 08:10 <DIR> d-------- C:\Documents and Settings\The Castles\Application Data\Uniblue
2006-12-27 22:09 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-27 21:20 <DIR> d-------- C:\Documents and Settings\The Castles\.housecall6.6
2006-12-27 20:37 <DIR> d-------- C:\Program Files\Symantec Technical Support
2006-12-27 19:16 <DIR> d--hs---- C:\WINDOWS\CSC
2006-12-27 15:16 31,744 --a------ C:\WINDOWS\system32\wsys.dll
2006-12-19 17:09 276,792 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2006-12-19 17:09 25,400 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2006-12-19 17:09 247,096 --a------ C:\WINDOWS\system32\drivers\srtsp.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-27 15:16 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2006-12-22 07:28 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-12-22 07:28 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-10-02 21:07 17920 --a------ C:\Documents and Settings\The Castles\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"D:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="d:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SpyHunter"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,60,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="d:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="d:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - The Castles.job

Completion time: 06-12-30 22:34:12.00
C:\ComboFix2.txt ... 06-12-30 22:25
C:\ComboFix.txt ... 06-12-30 22:34

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:38 AM

Posted 31 December 2006 - 11:02 AM

Hi KCastle,

Welcome to Bleeping Computer. :thumbsup:

It sounds like you may have gotten a spam bot on your system recently, but I don't see any signs of it in your logs.

You are currently running two antivirus programs -- Norton and AVG. This does not make you safer. The two scanners will interfere with each other, slowing down the computer and actually making you less safe.

You also have two antispyware programs running: Ewido and SpyHunter. Enigma Software's SpyHunter has been de-listed as a "rogue" program, but questions about its effectiveness remain. Please go to

http://spywarewarrior.com/rogue_anti-spyware.htm

And scroll about halfway down the page to the notes on de-listed applications and read the information about SpyHunter.

You need to remove or disable one of your antivirus programs, either Norton or AVG. Make sure you have one and only one antivirus and firewall running on your system. Also I suggest you uninstall SpyHunter, and update your Ewido.

Ewido 4.0 has been superseded by AVG Antispyware 7.5, which reflects the merger of Ewido with Grisoft, the makers of AVG antivirus. The program has undergone more than a name change, though; it has significantly improved capabilities expecially in the area of malware removal. You should upgrade to the new version.

First, uninstall Ewido:Click Start, then Control Panel, the double click Add or Remove Programs.

Scroll down to Ewido and select it. Click Remove.

To the "Are You Sure" warning popup, click Yes.

Ewido should now uninstall. When it is finished click OK. On some computers it may ask to reboot, if so allow it.
Next, install AVG-AS: Open your browser and go to This page. Read the information regarding the paid and free versions of the program, then at the bottom of the page click the orange box labeled Download Now. Save the AVG-AS setup file to your desktop. Close your browser.

Double click the AVGAS setup icon. Unless you need to change the language first, click OK, then Next.

On the License agreement screen click I Agree. Then accept the default installation folder by clicking Next.

Finally, click Install. The program will then copy files and register itself; when it tells you it is installed, click Finish.

AVG-AS 7.5 will open. On the Status screen you will see a line Last Update ! Never. On that line click Update Now.

After the program updates, you may want to change the Auto Updates options. The default is to check for updates every 60 minutes, which you may feel is excessive. Note that after the 30 day trial period, Auto Updates is disabled unless you pay for the program.

Also note that the real-time scanner (Guard.exe) is disabled after the trial period. However, you can still do manual updates and scans and the program will still quarantine or delete any spyware or trojans that it finds.

Now click the Scanner icon at the top of the window. Click the Settings tab. When that screen opens select the radio button Automatically produce a report after every scan. Uncheck the box Only if threats were found.

On the same screen, under "How to Act", click on Recommended Actions. Select Quarantine.

Leave the other settings on that screen at their defaults.

Close the program. This will save the settings changes.
I don't see any indication of which version of Java you are running. You probably need to update it.

Click Start, Control Panel, then double click Add/Remove Programs. When the list is populated look for any and all entries starting with J2SE or JRE with the little Java icon (a coffee cup). Remove them all, one by one. Then open your browser and go to this web page to get the latest version. Scroll dow to the middle of the page where you will find Java Runtime Environment (JRE) 6. Click Download which will take you to the secure download page. At the top, select the Accept License Agreement button. Then look to the first block for the J2SE downloads for the Windows Platform. You can choose either the Online or Offline installation version; unless you have several computers you need to upgrade, I suggest the Online version.

Download the file to your desktop, and double click the icon to run it.

If you have trouble with the Online installation, you can download the big Offline file and install it with your browser closed.


The other thing I need you to do is update your Windows operating system. Your Housecall log appears to indicate a number of vulnerabilities which have been patched over the last few years. Please go to http://update.microsoft.com/windowsupdate and go through the update check and download process. Until you install these updates, your system will be open to exploits. It is very important to keep your system updated, as new vulnerabilities are constantly being discovered.

Now, let's try to make sure your system is clean.

Please download Blacklight Beta here. You can read the information on the download page for an idea of what it will do. Download it to your desktop and double click to open. Accept the agreement, then on the next screen click the Scan button. When the scan is finished, click Next. If anything was found, let Blacklight clean it. Then exit the program. You will find a log file on your desktop, named fsbl-xxxxxxxxxxxxx.log. The x's are numbers, the first four being the current year. This is a text file and can be opened with Notepad.

Next go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

Please post those logs, along with a fresh HijackThis log, to a reply here. Let me know if you have any trouble or questions.

Good luck,

Dave

#3 kcastle

kcastle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 01 January 2007 - 09:19 AM

Good morning Dave,

Thank you for your help. Happy new year to you. I noticed you are from middle TN. I am just east of Knoxville so we got to the new year about an hour ahead of you all but so far it looks the same as 2006. I followed your instructions and here are the steps I have completed.

Removed AVG.
Uninstalled SpyHunter.
Uninstalled Ewido.
Installed AVG-AS.
Installed JRE6.
Updated Windows.
Ran BlacklightBeta. Scan log follows.
Ran Kaspersky. Scan log follows.
Ran AVG-AS. Scan log follows.
Ran HijackThis. Scan log follows.

Thanks again for your help!
Kevin


12/31/06 20:45:11 [Info]: BlackLight Engine 1.0.55 initialized
12/31/06 20:45:11 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/31/06 20:45:11 [Note]: 7019 4
12/31/06 20:45:11 [Note]: 7005 0
12/31/06 20:45:15 [Note]: 7006 0
12/31/06 20:45:15 [Note]: 7011 1268
12/31/06 20:45:15 [Note]: 7026 0
12/31/06 20:45:16 [Note]: 7026 0
12/31/06 20:45:26 [Note]: FSRAW library version 1.7.1021
12/31/06 20:46:32 [Note]: 7007 0

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 01, 2007 12:09:10 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/01/2007
Kaspersky Anti-Virus database records: 255347
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 117597
Number of viruses found: 6
Number of infected objects: 33 / 0
Number of suspicious objects: 3
Duration of the scan process: 03:09:28

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.i skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3000E229-E38C-450F-8681-DD648A6EDC74}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-12-31_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\9EB8DECB.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\20CF575F.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\The Castles\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\The Castles\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\The Castles\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\The Castles\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{EAC4626D-CE43-4D4B-A515-19F269B019D2}\Microsoft\Outlook Express\Deleted Items.dbx/[From Cortez F. Ophelia <hitj@assen.nl>][Date Sat, 30 Dec 2006 10:29:25 +0700]/UNNAMED/postcard.exe Infected: Trojan-Downloader.Win32.Tibs.jy skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{EAC4626D-CE43-4D4B-A515-19F269B019D2}\Microsoft\Outlook Express\Deleted Items.dbx/[From Cortez F. Ophelia <hitj@assen.nl>][Date Sat, 30 Dec 2006 10:29:25 +0700]/UNNAMED Infected: Trojan-Downloader.Win32.Tibs.jy skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{EAC4626D-CE43-4D4B-A515-19F269B019D2}\Microsoft\Outlook Express\Deleted Items.dbx/[From Graves B. Joseph <ontczg@tucsonstingrays.com>][Date Sat, 30 Dec 2006 11:24:56 +0100]/UNNAMED/postcard.exe Infected: Trojan-Downloader.Win32.Tibs.jy skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{EAC4626D-CE43-4D4B-A515-19F269B019D2}\Microsoft\Outlook Express\Deleted Items.dbx/[From Graves B. Joseph <ontczg@tucsonstingrays.com>][Date Sat, 30 Dec 2006 11:24:56 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.Tibs.jy skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{EAC4626D-CE43-4D4B-A515-19F269B019D2}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 4 skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{A3DAB0F2-9C46-4C1C-AA36-2164220ED28B}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{A3DAB0F2-9C46-4C1C-AA36-2164220ED28B}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{A3DAB0F2-9C46-4C1C-AA36-2164220ED28B}\Microsoft\Outlook Express\Deleted Items.dbx/[From Graves B. Joseph <ontczg@tucsonstingrays.com>][Date Sat, 30 Dec 2006 11:24:56 +0100]/UNNAMED/postcard.exe Infected: Trojan-Downloader.Win32.Tibs.jy skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{A3DAB0F2-9C46-4C1C-AA36-2164220ED28B}\Microsoft\Outlook Express\Deleted Items.dbx/[From Graves B. Joseph <ontczg@tucsonstingrays.com>][Date Sat, 30 Dec 2006 11:24:56 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.Tibs.jy skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{A3DAB0F2-9C46-4C1C-AA36-2164220ED28B}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{A3DAB0F2-9C46-4C1C-AA36-2164220ED28B}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\The Castles\Local Settings\Application Data\Identities\{A3DAB0F2-9C46-4C1C-AA36-2164220ED28B}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\The Castles\Cookies\index.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
D:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
D:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
D:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{F6DDA566-0B0F-430D-BB06-38044478EAEB}\Microsoft\Outlook Express\Deleted Items.dbx/[From "rcornwell" <rcornwell@ccss.k12.nc.us>][Date Sat, 18 Oct 2003 19:54:36 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{F6DDA566-0B0F-430D-BB06-38044478EAEB}\Microsoft\Outlook Express\Deleted Items.dbx/[From "rcornwell" <rcornwell@ccss.k12.nc.us>][Date Sat, 18 Oct 2003 19:54:36 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{F6DDA566-0B0F-430D-BB06-38044478EAEB}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: suspicious - 2 skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Mon, 4 Aug 2003 08:03:09 -0400]/UNNAMED/PopOopsSetup.zip/PopOopsSetup.exe/data0003 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Mon, 4 Aug 2003 08:03:09 -0400]/UNNAMED/PopOopsSetup.zip/PopOopsSetup.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Mon, 4 Aug 2003 08:03:09 -0400]/UNNAMED/PopOopsSetup.zip Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Mon, 4 Aug 2003 08:03:09 -0400]/UNNAMED Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Fri, 19 Sep 2003 10:04:55 -0400]/UNNAMED/PopOopsSetup.zip/PopOopsSetup.exe/data0003 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Fri, 19 Sep 2003 10:04:55 -0400]/UNNAMED/PopOopsSetup.zip/PopOopsSetup.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Fri, 19 Sep 2003 10:04:55 -0400]/UNNAMED/PopOopsSetup.zip Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Fri, 19 Sep 2003 10:04:55 -0400]/UNNAMED Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 8 skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{EC178766-524E-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Deleted Items.dbx/[From <support@microsoft.com>][Date Sun, 25 May 2003 7:21:37 --0700]/your_details.pif Infected: Email-Worm.Win32.Sobig.b skipped
D:\Documents and Setting\k\Local Settings\Application Data\Identities\{EC178766-524E-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 1 skipped
D:\puter\reload_050606\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Mon, 4 Aug 2003 08:03:09 -0400]/UNNAMED/PopOopsSetup.zip/PopOopsSetup.exe/data0003 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\puter\reload_050606\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Mon, 4 Aug 2003 08:03:09 -0400]/UNNAMED/PopOopsSetup.zip/PopOopsSetup.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\puter\reload_050606\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Mon, 4 Aug 2003 08:03:09 -0400]/UNNAMED/PopOopsSetup.zip Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\puter\reload_050606\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Mon, 4 Aug 2003 08:03:09 -0400]/UNNAMED Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\puter\reload_050606\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Fri, 19 Sep 2003 10:04:55 -0400]/UNNAMED/PopOopsSetup.zip/PopOopsSetup.exe/data0003 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\puter\reload_050606\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Fri, 19 Sep 2003 10:04:55 -0400]/UNNAMED/PopOopsSetup.zip/PopOopsSetup.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\puter\reload_050606\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Fri, 19 Sep 2003 10:04:55 -0400]/UNNAMED/PopOopsSetup.zip Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\puter\reload_050606\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx/[From <KCastle@tufftorq.com>][Date Fri, 19 Sep 2003 10:04:55 -0400]/UNNAMED Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
D:\puter\reload_050606\{365D814A-52EE-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 8 skipped
D:\puter\reload_050606\{EC178766-524E-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Deleted Items.dbx/[From <support@microsoft.com>][Date Sun, 25 May 2003 7:21:37 --0700]/your_details.pif Infected: Email-Worm.Win32.Sobig.b skipped
D:\puter\reload_050606\{EC178766-524E-11D6-992A-00E07DB414BD}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 1 skipped
D:\puter\antivir\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\puter\antivir\SmitfraudFix.zip ZIP: infected - 1 skipped

Scan process completed.




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:33:20 AM 1/1/2007

+ Scan result:



C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\The Castles\Cookies\the castles@ehg-kasperskylab.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\The Castles\Cookies\the castles@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
[1268] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1404] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1784] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2244] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2332] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2448] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2524] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2780] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2872] VM_13140000 -> Trojan.Agent.zq : No action taken.
[3044] VM_13140000 -> Trojan.Agent.zq : No action taken.
[3540] VM_13140000 -> Trojan.Agent.zq : No action taken.
[3864] VM_13140000 -> Trojan.Agent.zq : No action taken.
[4072] VM_13140000 -> Trojan.Agent.zq : No action taken.
[724] VM_13140000 -> Trojan.Agent.zq : No action taken.
[772] VM_13140000 -> Trojan.Agent.zq : No action taken.
[812] VM_13140000 -> Trojan.Agent.zq : No action taken.
[840] VM_13140000 -> Trojan.Agent.zq : No action taken.
[904] VM_13140000 -> Trojan.Agent.zq : No action taken.
[980] VM_13140000 -> Trojan.Agent.zq : No action taken.


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 9:16:00 AM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\alg.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\services.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\DOCUME~1\THECAS~1\LOCALS~1\TEMP\zauninst.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laurencastle.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NppBHOObj Class - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167615460843
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9ABC0891-3491-4E8C-B4FE-ACB12D6824C8} (ICImageView.ICTiffViewer) - http://www.realtyeyes.com/Pro/tools/TIFFVi...ICImageView.CAB
O16 - DPF: {CD7C1008-F082-4FF6-885E-3209417E2019} (ICMTRMLS.ICSystemID) - http://www.realtyeyes.com/Pro/cabs/ICMTRMLS.CAB
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:38 AM

Posted 01 January 2007 - 02:41 PM

Hi Kevin,

Happy new year to you, an hour later as you observe. East Tennessee is a beautiful place.

Question -- Did you run Windows update before you ran Kaspersky? I need to know this, because our biggest problem is that one of your key system files -- winlogon.exe -- is infected and will have to be replaced with a clean copy. If you ran Kaspersky after the update, then I know your Winlogon.exe file is still infected.

If that is the case, then I need to know whether you have a Windows XP install CD with Service Pack 2, or alternatively, whether there is an \i386 folder located somewhere on your hard drive (use the Windows search function to find this folder if it exists). The i386 folder, whether on your hard disk or on the install CD, will contain a compressed file named winlogon.ex_ I need a file with a "last modified" date of Aug. 3, 2004 and a size of 254K. That's the XP SP2 version.

Another thing I need you to do, please run AVG Antispyware again, it appears when you ran it the first time it was set to "scan only" because nothing was quarantined or deleted. Make sure the program is set to delete or quarantine all infected files.

Another thing you can do is to empty your Outlook Express Deleted Items box.

It looks like you ran Smitfraudfix at some point. Did it find anything?

Did you uninstall the Zone Alarm firewall recently? And if so, do you currently have a firewall installed on this computer?

One more question -- are there any user accounts on this machine other than the one you have been working from? If so, I need you to log on to each of those accounts and run a HijackThis scan, and post the logs to your reply here, along with the answers to my questions.

Dave

#5 kcastle

kcastle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 01 January 2007 - 04:45 PM

Good afternoon Dave,

I did run the Windows Update before I ran Kaspersky. I do not have the install CD however there is an \i386 folder located at c:\windows\ServicePackFiles\i386 that contains a winlogon.exe (not winlogon.ex_) with a file size of 491KB, last modified 08/04/04, 12:56 am.

I ran AVG-AS with the settings to "quarantine" and it found "Trojan.agent.zq" along with the annoying atdmt tracking cookie. When I "applied all actions" and scanned again it returned the "Trojan.agent.zq" again. This time I set to delete and applied all actions. Scanned again and it found the same "Trojan.agent.zq" so I am assuming it cannot do anything with it. There are also 20 traces detected. I have attached the latest scan log below.

Outlook Express Deleted Items has been cleared out.

I ran SmitFraud in normal mode, shut down and ran in Safe Mode, ran Smit Fraud "clean" in Safe Mode then scanned again, restarted in normal mode and did one more scan. I have attached all 4 of these logs below.

I did have Zone Alarm firewall installed but uninstalled it. The only firewall currently on the pc is the one included with Norton Internet Security. I tried to reinstall Zone Alarm but it said it needed to stop the True Vector service before it could proceed with installation. I was unable to find a True Vector service to stop. So currently the only thing on it is the Norton.

The only account other than the one I use is the administrator. The account I use has administrator priveleges.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:13:25 PM 1/1/2007

+ Scan result:



[1012] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1396] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1444] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1536] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1660] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1800] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1984] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1996] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2028] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2156] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2508] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2528] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2536] VM_13140000 -> Trojan.Agent.zq : No action taken.
[3084] VM_13140000 -> Trojan.Agent.zq : No action taken.
[3092] VM_13140000 -> Trojan.Agent.zq : No action taken.
[700] VM_13140000 -> Trojan.Agent.zq : No action taken.
[748] VM_13140000 -> Trojan.Agent.zq : No action taken.
[808] VM_13140000 -> Trojan.Agent.zq : No action taken.
[816] VM_13140000 -> Trojan.Agent.zq : No action taken.
[888] VM_13140000 -> Trojan.Agent.zq : No action taken.


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 4:28:29 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Java\jre1.6.0\bin\jusched.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\services.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
D:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laurencastle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NppBHOObj Class - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167615460843
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9ABC0891-3491-4E8C-B4FE-ACB12D6824C8} (ICImageView.ICTiffViewer) - http://www.realtyeyes.com/Pro/tools/TIFFVi...ICImageView.CAB
O16 - DPF: {CD7C1008-F082-4FF6-885E-3209417E2019} (ICMTRMLS.ICSystemID) - http://www.realtyeyes.com/Pro/cabs/ICMTRMLS.CAB
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe



tkc = Following log is from 1st run in Normal Mode

SmitFraudFix v2.132

Scan done at 16:24:08.06, Mon 01/01/2007
Run from C:\Documents and Settings\The Castles\Desktop\New Folder
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\The Castles


C:\Documents and Settings\The Castles\Application Data


Start Menu


C:\DOCUME~1\THECAS~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End


tkc = Following log is from 1st run in Safe Mode

SmitFraudFix v2.132

Scan done at 16:17:36.53, Mon 01/01/2007
Run from C:\Documents and Settings\The Castles\Desktop\New Folder
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



tkc = Following log is from Safe Mode after I ran the clean step of Smit Fraud

SmitFraudFix v2.132

Scan done at 16:18:55.84, Mon 01/01/2007
Run from C:\Documents and Settings\The Castles\Desktop\New Folder
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\The Castles


C:\Documents and Settings\The Castles\Application Data


Start Menu


C:\DOCUME~1\THECAS~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End


tkc = Following log is from Normal Mode after I ran the clean step of Smit Fraud (in Safe Mode)

SmitFraudFix v2.132

Scan done at 16:24:08.06, Mon 01/01/2007
Run from C:\Documents and Settings\The Castles\Desktop\New Folder
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\The Castles


C:\Documents and Settings\The Castles\Application Data


Start Menu


C:\DOCUME~1\THECAS~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:38 AM

Posted 01 January 2007 - 07:45 PM

Hi Kevin,

Sorry for the delays, I have been doing a lot of research on your problem.

Norton's firewall is fine. As I said, you should only have one firewall running on a system. Thing is, I don't see it in your latest log. Maybe I'm looking for the wrong file, but please check your security settings to make sure it is enabled and running.

Could you give me the file information for your C:\Windows\system32\winlogon.exe file? Date modified, file size?

For a while I thought maybe that Kaspersky was giving a false positive on your winlogon.exe, now I'm coming back to thinking it may be true. Anyway, please give me that file info, and we'll proceed from there.

Dave

#7 kcastle

kcastle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 01 January 2007 - 07:53 PM

Good evening Dave,

Thank you for all of your help. I understand you are busy so don't worry about the delays. I'm just happy to have your assistance.

Norton Firewall was disabled during the last HijackThis scan. I was messing around trying to get the Zone Alarm firewall reinstalled and forgot to turn it on.

My c:\windows\system32\winlogon.exe is 491KB, last modified 3:16pm 12/27/06.

I first noticed the problem with the pc scanning the outbound emails at around 3:03-3:06 pm on 12/27/06.

Hope this information helps.

Thank you again!

#8 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:38 AM

Posted 01 January 2007 - 08:30 PM

Hi Kevin,

Could you check one more thing on that c:\windows\system32\winlogon.exe file? Open the \system32 folder using Windows Explorer and set the View to Tiles. Scroll down and take a look at the winlogon.exe file. What does the icon look like? It should be a window with a moon.

Dave

#9 kcastle

kcastle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 01 January 2007 - 09:58 PM

Good evening Dave,

The icon for this file is indeed a window with a moon in it.

Here is some additional information on something I tried this evening. Since AVG-AS has continued to turn up that "Trojan.Agent.qz" along with 9 additional infected processes, I tried starting in Safe Mode to see if I could get AVG-AS to delete this file. I tried quarantine, delete and delete on reboot but still got the same results after each AVG-AS scan. Don't know if this is beneficial but thought I would let you know about it.

#10 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:38 AM

Posted 01 January 2007 - 10:47 PM

Hi Kevin,

That was a auggestion I ran across, but I didn't think it would work because winlogon.exe is an active process even in safe mode.

You say you don't have the Windows XP install CD. Do you have a floppy disk drive installed in this computer? Alternatively, do you have burning software and a CD-Burner? Are you familiar with creating disks from ISO images?

Here's the strategy. It seems to me the best way to replace your winlogon.exe is to boot from a floppy or CD and delete the c:\windows\system32\winlogon.exe file, then copy the c:\windows\ServicePackFiles\i386\winlogon.exe file into the c:\windows\sysem32 folder. Fortunately, your hard drive is formatted with the FAT32 filesystem, so any WindowsME bootdisk would work fine. Are you familiar with the command line (DOS) interface?

Let me know what you have and your level of experience and I'll work up a set of instructions.

Dave

#11 kcastle

kcastle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 01 January 2007 - 11:01 PM

Good evening Dave,

I do have a floppy drive installed however the drive itself has gone bad (thinking a mischievous 2 year old may have inserted who-knows-what....). I do have a replacement for it and can install if needed.

I do have access to CD burner & software but not familiar with creating from ISO images. The CD and CD burner drives on this pc have not functioned correctly since I installed XP back in May 06 but I do have my office pc.

I am familiar with DOS. My level of experience with the system is what I would label as moderate (ie. built this pc, installed all software, setup network, etc.) but my experience with solving these types of problems is limited (although it seems my propensity for creating these problems may be unlimited...)

Again, thank you for all of your help.

#12 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:38 AM

Posted 01 January 2007 - 11:36 PM

Okay, sounds like the simplest thing might be for you to replace your defunct floppy drive with the spare.

Then go to this webpage and download the WindowsME OEM bootdisk file. This is an executable, just download it to your desktop.

Print the rest of these instructions because you won't have internet access.

Put a new or expendable floppy disk (everything on it will be erased!) in the disk drive and just double click the bootme.exe icon. Click OK if asked and the program will make your bootdisk. When finished, click OK to close the program, close all programs and reboot your PC. It should boot up to the floppy, if not you'll have to reboot and go into BIOS setup and change the boot order.

Once you've booted to the disk, you chould see a command prompt. Type the following lines, hitting <Enter> after each one:

del c:\windows\system32\winlogon.exe
copy c:\windows\ServicePackFiles\i386\winlogon.exe c:\windows\system32\winlogon.exe


The toughest part is typing all this in without making any mistakes, but you're experienced enough to know the drill.

After you replace the file, remove the floppy from the drive and reboot by pressing <Ctrl>-<Alt>-<Del>. The computer should reboot into Windows XP. Then navigate to the \system32 folder and check the Properties of the winlogon.exe file. Check the date modified, it should be Aug. 4, 2004.

Now run an AVG-AS and see whether it still reports that trojan. Let me know.

Good luck,

Dave

#13 kcastle

kcastle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 02 January 2007 - 10:47 PM

Good evening Dave,

Here's an update on my progress thus far.

Got the winlogon.exe replaced. It shows a file size of 491KB, last modified 01/02/07, 8:31pm.

Ran AVG-AS and it turned up only 1 tracking cookie and no mention of Trojan.Agent.qz. I allowed AVG to delete the cookie and am in the process of running AVG again for followup to make certain it got rid of it. Looks good so far.

Also running Stinger and SpyBot. Stinger hasn't turned up anything yet but SpyBot has returned the program group SpyHunter.

While running AVG-AS the first time, I kept getting a message window that said "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." At the time I didn't even have IE open. I started running the scan when XP loaded and I hadn't used IE. I checked the report on it and it showed 2 odd files:

C:\DocumentsAndSettings\TheCastles\LocalSettings\Temp\WERf8eb.dir00\iexplore.exe.mdmp
C:\DocumentsAndSettings\TheCastles\LocalSettings\Temp\WERf8eb.dir00\appcompat.txt

I went to the ...\Temp directory to see if I could learn more about these 2 files however there was not a subfolder name WERf8eb.dir00. There was a directory named WERed66.dir00. Should I delete that file folder and all contents?

When these scans complete I will upload log files for each of these and a new HijackThis log.

#14 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:38 AM

Posted 03 January 2007 - 08:04 AM

Hi Kevin,

I went to bed early, as usual on weeknights, and just saw your reply this morning.

Those two files in the hidden directory are reports related to the "Internet Explorer has encountered a problem" message. They are intended to aid in diagnosis. Don't worry about them.

Spybot is probably reporting a "leftover" registry entry for SpyHunter, nothing to worry about.

When you post the log files we'll see where we stand.

Dave

#15 kcastle

kcastle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 03 January 2007 - 08:57 PM

Good evening Dave,

Seems that most of my time to work on this comes waaay after the sun has gone down. Hopefully tonite I can get in early too.

Today I let Norton Internet Security, AVG-AS and Stinger run. The only thing that turned up was a tracking cookie on AVG-AS.

I restarted and, during startup, AVG-AS reported the following:

Downloader.femad.bd affecting c:\windows\system32\wsys.dll
Downloader.small.eed affecting c:\windows\system32\systems_.exe

I allowed AVG to quarantine these and restarted. During the restart I got the same 2. I restarted again in Safe Mode and ran AVG again and it didn't turn up anything. When I restarted after that I didn't have the 2 from AVG-AS.

The only thing I have noticed is the pc seems to be slightly slower than normal. Not terribly bad but noticeable. May or may not be related but wanted to share that info as well.

I did a HijackThis scan and the log file follows.

I also ran SmitFraud again and the log follows.


Logfile of HijackThis v1.99.1
Scan saved at 8:46:37 PM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Java\jre1.6.0\bin\jusched.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laurencastle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NppBHOObj Class - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167615460843
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9ABC0891-3491-4E8C-B4FE-ACB12D6824C8} (ICImageView.ICTiffViewer) - http://www.realtyeyes.com/Pro/tools/TIFFVi...ICImageView.CAB
O16 - DPF: {CD7C1008-F082-4FF6-885E-3209417E2019} (ICMTRMLS.ICSystemID) - http://www.realtyeyes.com/Pro/cabs/ICMTRMLS.CAB
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe





SmitFraudFix v2.132

Scan done at 20:00:41.18, Wed 01/03/2007
Run from C:\Documents and Settings\The Castles\Desktop\New Folder
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\The Castles


C:\Documents and Settings\The Castles\Application Data


Start Menu


C:\DOCUME~1\THECAS~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users