Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Computer-posting Hijackthis Log


  • Please log in to reply
7 replies to this topic

#1 kozykidswear

kozykidswear

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 January 2007 - 03:02 PM

Running windows xp, computer was very slow and had pop ups. I installed AVG and ran it in safe mode. I then ran hijackthis (not in safe mode). Can you look at my log and let me know if you see anything I need to clean off of here. It's better but still not 100%

Logfile of HijackThis v1.99.1
Scan saved at 2:14:39 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CVSEXPSS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\SXPESVC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\LESLIE\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5BFC69D3-A141-F99B-6F82-80AD0B0CE4C1} - C:\WINDOWS\system32\pucdkg.dll (file missing)
O2 - BHO: (no name) - {7411F8BA-29A3-3216-9DE7-024AC0AAB9F6} - C:\WINDOWS\system32\viyjhai.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {F035A215-3B8D-6354-F59B-114495F519C7} - C:\WINDOWS\system32\tbff.dll (file missing)
O2 - BHO: (no name) - {FEF50E1F-8676-4173-8403-AB66CB8AFAFC} - C:\WINDOWS\system32\ddccb.dll (file missing)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ddhelper] "C:\WINDOWS\W815DM.EXE"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [enuff_temp] C:\Program Files\Akrontech\enuff\ENUFF.exe
O4 - HKLM\..\RunOnce: [sdaemon] "C:\WINDOWS\SDAEMON.EXE"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O21 - SSODL: gloomily - {9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ENUFF XP Service (ENXPSVC) - Akrontech - C:\WINDOWS\system32\CVSEXPSS.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 19 January 2007 - 04:34 PM

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

#3 kozykidswear

kozykidswear
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 January 2007 - 04:59 PM

Here it is:

SmitFraudFix v2.132

Scan done at 16:57:12.48, Fri 01/19/2007
Run from C:\Documents and Settings\LESLIE\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\Documents and Settings\LESLIE


C:\Documents and Settings\LESLIE\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\LESLIE\FAVORI~1

C:\DOCUME~1\LESLIE\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop

C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Security Troubleshooting.url FOUND !

C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f}"="gloomily"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 19 January 2007 - 05:03 PM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please make sure AVG Anti-Spyware is fully updated
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Please post:
  • c:\rapport.txt
  • AVG log
  • A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.

#5 kozykidswear

kozykidswear
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 January 2007 - 06:56 PM

here is the rapport.txt:

SmitFraudFix v2.132

Scan done at 17:20:35.17, Fri 01/19/2007
Run from C:\Documents and Settings\LESLIE\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f}"="gloomily"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\LESLIE\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url Deleted

Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#6 kozykidswear

kozykidswear
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 January 2007 - 06:58 PM

Here's the AVG report

Oops would help for me to hit paste:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:46:13 PM 1/19/2007

+ Scan result:



:mozilla.54:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.55:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.56:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.57:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.80:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.61:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.65:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.68:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.30:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.31:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.32:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.49:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Andrew Brown\Cookies\andrew brown@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.33:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.35:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.36:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.37:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.38:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.34:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.83:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.84:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.85:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.71:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.72:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.73:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.74:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.75:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.76:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.77:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.78:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.92:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.59:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.67:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.69:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.70:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.48:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.50:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.51:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.52:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.53:C:\Documents and Settings\LESLIE\Application Data\Mozilla\Firefox\Profiles\0zyx726h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\wnstssv.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

#7 kozykidswear

kozykidswear
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 January 2007 - 06:59 PM

And finally the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:57:55 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CVSEXPSS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\SXPESVC.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\LESLIE\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5247CF22-06B0-5864-C148-2C07E1D2B9CB} - C:\WINDOWS\system32\cbknfa.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ddhelper] "C:\WINDOWS\W815DM.EXE"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [enuff_temp] C:\Program Files\Akrontech\enuff\ENUFF.exe
O4 - HKLM\..\RunOnce: [sdaemon] "C:\WINDOWS\SDAEMON.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ENUFF XP Service (ENXPSVC) - Akrontech - C:\WINDOWS\system32\CVSEXPSS.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 20 January 2007 - 01:52 PM

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 .

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software.

Or you can get the manual download here:

Once you have installed the latest update, please go to Add/Remove Programs and remove all older instances of Java listed there

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.
The infection you had was smitfraud

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot.

    Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.
    NOTE: only do this ONCE,NOT on a regular basis
  • Keep your antivirus updated
  • Keep your firewall updated
  • Keep windows up to date with the latest patches
    IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

    If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
  • Install spywareblaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    Make sure to update it on a regular basis
  • Install IE-SPYAD
    Dowload and instructions located here
    Make sure to update it on a regular basis
  • Use a HOSTS file
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok
  • Install and use Ad-aware & Spybot search & destroy
    Instructions are located here
    Make sure to update them on a regular basis
  • Most exploits are aimed at internet explorer, so I recommend you switch to an altenative browser
    Two good alternative browsers are
    Firefox
    Opera
    It is essential to update to the latest version of your browser, as the updates fix known security holes
  • Even if you do decide to switch to another browser, it is still a good idea to lock down Internet explorer
    This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialize and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    Change the allow paste operations via script to Disable
    When all these settings have been made, click on the OK button.
    If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.
  • Clean out you temp file on a regular basis
    I use and recommend ATF Cleaner by Attribune
    To use it, follow these instructions
    • Double-click ATF-Cleaner.exe to run the program.
    • Click Main at the top and choose Select All from the list.
    • Click the Empty Selected button.
    If you use Firefox browser:
    • Click Firefox at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser:
    • Click Opera at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users