Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Irn.exe Error


  • This topic is locked This topic is locked
39 replies to this topic

#1 mistaken

mistaken

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 16 February 2007 - 06:55 AM

Here's my problem: http://www.bleepingcomputer.com/forums/t/81626/irnexe-error/

My computer seems to be acting weird, so I posted this log. Can someone please tell me if everythin is clean?

Logfile of HijackThis v1.99.1
Scan saved at 3:57:35 PM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Hornet\MntrHrnt.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.servihoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?

LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Servihoo - Makes Life Easier
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} -

C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Wanadoo Booster - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\Wanadoo

Booster\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!

\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel

PROSet/Wireless
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HornetMonitor] C:\Program Files\Common Files\Hornet\MntrHrnt.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft

Firewall Client\ISATRAY.EXE
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live

Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites -

http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program

Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free

Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10

\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live

Toolbar\Components\en-gb\msntabres.dll.mui/229?29b813fe739e404b86b6357a5000b115
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live

Toolbar\Components\en-gb\msntabres.dll.mui/230?29b813fe739e404b86b6357a5000b115
O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\MYTOOL~1\ZipScan\zs_ie.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!

\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32

\SHDOCVW.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and

Settings\maliphon\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %

windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!

\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.arriva.mu
O17 - HKLM\Software\..\Telephony: DomainName = corp.arriva.mu
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C7ED6FE-34A3-4BF0-91D5-993B2B2772EF}: NameServer =

202.123.2.6 202.123.2.11
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation -

C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32

\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program

Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec

AntiVirus\Rtvscan.exe

:thumbsup: 2. Here's some Applications Sygate is controlling: Client Server Runtime Process, Microsoft Application Error Reporting, Service Executable, Userinit Logon Application, Windows NT Logon Application
All of these above Applications hav "Allow" access to internet by Sygate. If one of these should not hav internet access, please tell me.
Seems that this forum is interesting

BC AdBot (Login to Remove)

 


m

#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:09 PM

Posted 22 February 2007 - 06:23 AM

Hello mistaken, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:09 PM

Posted 22 February 2007 - 06:27 AM

I need to see an updated HijackThis log as you have made some changes to your system in terms of (un)installing applications. Besides that, it is hard to read your HijackThis log as you have posted the log in Word Wrap format.
Please rescan with HijackThis and when Notepad opens with the log, go to the Format menu and uncheck the option labelled "Word Wrap". Then post the HijackThis log as a reply to this topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 mistaken

mistaken
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 22 February 2007 - 04:42 PM

Thnx 4 replyin to my Log.
I had some suspicious exe: "popmgr" etc.. . So like in the Link I provided in my first post, there someone told me to use Prevx1. I used it and it blocked certain of these exe: "popmgr.exe, irc.exe, sansv.exe"
Now here is a fresh log:

Logfile of HijackThis v1.99.1
Scan saved at 1:46:58 AM, on 2/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Hornet\MntrHrnt.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.servihoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Servihoo - Makes Life Easier
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = arrivamsg01:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Wanadoo Booster - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\Wanadoo Booster\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HornetMonitor] C:\Program Files\Common Files\Hornet\MntrHrnt.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?29b813fe739e404b86b6357a5000b115
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?29b813fe739e404b86b6357a5000b115
O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\MYTOOL~1\ZipScan\zs_ie.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\maliphon\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.arriva.mu
O17 - HKLM\Software\..\Telephony: DomainName = corp.arriva.mu
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C7ED6FE-34A3-4BF0-91D5-993B2B2772EF}: NameServer = 202.123.2.6 202.123.2.11
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Seems that this forum is interesting

#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:09 PM

Posted 23 February 2007 - 04:41 AM

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1
Please download AVG Anti-Spyware 7.5 from the link below and save it to your Desktop.
Download AVG Anti-Spyware 7.5

Once downloaded, locate the icon on your Desktop and double-click on it to launch the setup program. Follow the on-screen instructions to install AVG Anti-Spyware.

Before running AVG Anti-Spyware, it is mandatory that you update its definition files. Follow these instructions to update and configure the program:
1. Start AVG Anti-Spyware.
2. Click the Update icon at the top of the screen. On the newly presented screen, click the button labelled "Start Update". The update process will start.
3. Once the update has completed, select the Scanner icon at the top of the screen, followed by clicking the Settings tab.
4. In the newly presented screen, click on the link named "Recommended actions" and then select the Quarantine option.
5. Under Reports, select the radio button labelled "Automatically generate report after every scan". Unselect the checkbox labelled "Only if threats were found".
6. Close AVG Anti-Spyware 7.5.

Now reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

When in Safe Mode, please follow these instructions to run AVG Anti-Spyware:
1. Close all windows so that you have nothing open and lauch AVG Anti-Spyware by double-clicking the icon on your Desktop.
2. Click the Scanner icon at the top of the screen and select the Scan tab.
3. Click on the "Complete System Scan" icon and AVG Anti-Spyware will begin the scanning process. Be patient as this may take some time.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess.
4. When the scan has finished, AVG Anti-Spyware will list any infections found on the left-hand side. It should automatically set the recommended action to Quarantine.
5. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right-hand side.
6. Click on the button labelled "Save Report", followed by pressing the "Save Report As" button. This will create a text file. Make sure you know where to find this file again.
7. Close AVG Anti-Spyware.
8. Reboot your computer to boot back into normal mode and post the entire contents of the saved text file in your next reply.

Step #2
Please perform an online scan by running Panda's ActiveScan (click).
Follow these instructions:
1. Click on the Scan your PC button once you are on the Panda site. A new window will open.
2. On the newly presented screen, click the Check Now button.
3. Enter your Country.
4. Enter your State/Province.
5. Enter your E-mail Address and click the Send button.
6. Select either Home User or Company.
7. Click the big Scan Now button. If it prompts to install an ActiveX component, allow it.
Panda Software will start downloading the files it requires for the scan. NOTE: This may take a couple of minutes!
8. When the download is complete, click on My Computer to start the scan.
9. When the scan completes - if anything malicious is detected - click the See Report button.
10. Click Save Report and save it to a convenient location easy to remember.
11. Post the entire contents of Panda's ActiveScan report here as a reply to this post.

Step #3
Please download Silent Runners.zip from the download link below and save it to your Desktop.
Download Silent Runners.zip

Once it is downloaded, extract the ZIP file to a new folder on your Desktop. Run the Silent Runners.vbs file inside it by double-clicking on it.
NOTE: If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run. This script is not malicious so please allow it.

Once launched, you will receive a prompt: "Skip supplementary searches?". Click the No button. A text file will appear in the Silent Runners folder. Silent Runners is not done yet, so please let it run. (It won't appear to be doing anything)! Once you receive the "All Done!" prompt, open the text file and post the entire contents of that text file in your next reply.

Step #4
Scan with HijackThis again and post a new HijackThis log.
Also let me know how your computer is running.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 mistaken

mistaken
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 03 March 2007 - 03:44 PM

Due to a cyclone (no internet conection), I taken some time to do what u told me, resultin in more problems in my computer. I hav followed all the Steps and listed the Reports below:

Step #1 Report

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:00:57 AM 3/3/2007

+ Scan result:



C:\Documents and Settings\maliphon\Cookies\maliphon@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.


::Report end

Step #2 Report


Incident Status Location

Adware:adware/oemji Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\maliphon\Desktop\Sebastien\HighThis Tools\SDFix.exe[SDFix\apps\Process.exe]
Virus:W32/Tearec.A.worm!CME-24 Disinfected Archive2007\Inbox\Fw:\Attachments001.BHX[Atta[001],zip .SCR]
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Inbox\Mail Delivery (failure plamy@ariva.mu)\message.scr
Virus:W32/Sober.AH.worm!CME-681 Disinfected Office email\Inbox\Your_Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm!CME-681 Disinfected Office email\Inbox\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm!CME-681 Disinfected Office email\Inbox\You visit illegal websites\question_list.zip[File-packed_dataInfo.exe]
Hacktool:Exploit/iFrame Not disinfected Office email\Inbox\Mail Delivery (failure smatadeen@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Office email\Inbox\Mail Delivery (failure smatadeen@ariva.mu)\message.scr
Virus:W32/Sober.AH.worm!CME-681 Disinfected Office email\Inbox\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Deleted Items\Mail Delivery (failure ariva@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Deleted Items\Mail Delivery (failure ariva@ariva.mu)\message.scr
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Deleted Items\Mail Delivery (failure smatadeen@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Deleted Items\Mail Delivery (failure smatadeen@ariva.mu)\message.scr
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Deleted Items\Mail Delivery (failure ariva@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Deleted Items\Re: Administration\readme_ariva.doc .pif
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Deleted Items\Mail Delivery (failure ariva@ariva.mu)\message.scr
Virus:W32/Sober.AH.worm!CME-681 Disinfected Personal Folders 2005\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm!CME-681 Disinfected Personal Folders 2005\Deleted Items\Your Password\reg_pass.zip[File-packed_dataInfo.exe]
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure smatadeen@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure smatadeen@ariva.mu)\message.scr
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: Request\all_in_all.zip[details.txt .pif]
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure smatadeen@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure smatadeen@ariva.mu)\message.scr
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: Mail Authentification\readme.zip[document.txt .exe]
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Postcard\letter.zip[details.txt .pif]
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: Status\data.zip[details.txt .pif]
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: Developement\doc_word3.pif
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure smatadeen@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure smatadeen@ariva.mu)\message.scr
Virus:W32/Mytob.GM.worm Disinfected Personal Folders 2005\Inbox 2005\Hello\document.zip[document.pif]
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: my letter\letter.zip[document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure plamy@ariva.mu)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: Extended Mail System\data.scr
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure smatadeen@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure smatadeen@ariva.mu)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: approved letter\letter.txt.pif
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: Your document\approved.scr
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: Error in document\attach.zip[document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\I cannot forget you!\photo.zip[document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Private document\about_you.pif
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: Protected Mail Request\data_ariva.zip[document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\my application\application.pif
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\hello\excel document.zip[data.rtf .scr]
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: improved\document_ariva.zip[document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Re: SMTP Server\readme_ariva.zip[data.rtf .scr]
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)
Virus:W32/Netsky.P.worm Disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)\message.scr
Hacktool:Exploit/iFrame Not disinfected Personal Folders 2005\Inbox 2005\Mail Delivery (failure ariva@ariva.mu)
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\user\Cookies\user@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\user\Cookies\user@dist.belnk[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\user\Cookies\user@gostats[2].txt
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5VXZ76XQ\CursorManiaFWBInitialSetup1.0.0.15[1].cab[f3initialsetup1.0.0.15.inf]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe

Step #3 Report

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"LtMoh" = "C:\Program Files\ltmoh\Ltmoh.exe" ["Agere Systems"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" ["HP"]
"SsAAD.exe" = "C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [null data]
"HornetMonitor" = "C:\Program Files\Common Files\Hornet\MntrHrnt.exe" ["Alcor Micro, Corp."]
"WatchDog" = "C:\Program Files\mobile PhoneTools\WatchDog.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
{A114D52B-870C-4F15-8021-B6D7F91A054B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "iFinger plugin / Browser helper object"
\InProcServer32\(Default) = "C:\PROGRA~1\iFinger\plugins\IE.ifp" ["iFinger Ltd"]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\GDI\Office\soa800.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\maliphon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "maliphon" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe" [empty string]
"Firewall Client Connectivity Monitor" -> shortcut to: "C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE" [MS]
"iFinger 2.0" -> shortcut to: "C:\Program Files\iFinger\iFinger.exe /NOSPLASH" ["iFinger Ltd"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\Program Files\Microsoft Firewall Client\wspwsp.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Microsoft Firewall Client\wspwsp.dll [MS], 01 - 04
%SystemRoot%\system32\mswsock.dll [MS], 05 - 07, 10 - 36
%SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{8B79EE88-E62D-4AA8-B530-CC357BA112B7}"
-> {HKLM...CLSID} = "Wanadoo Booster"
\InProcServer32\(Default) = "C:\Program Files\Wanadoo Booster\Toolband.dll" ["SlipStream Data Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8B79EE88-E62D-4AA8-B530-CC357BA112B7}" = (no title provided)
-> {HKLM...CLSID} = "Wanadoo Booster"
\InProcServer32\(Default) = "C:\Program Files\Wanadoo Booster\Toolband.dll" ["SlipStream Data Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{0CBD5120-990B-11D3-8ABD-00C04FA95EE0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "iFinger"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHDOCVW.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{936E5D60-596C-11D3-BB96-00600816DF55}\
"ButtonText" = "iFinger"

{D9288080-1BAA-4BC4-9CF8-A92D743DB949}\
"ButtonText" = "Run IMVU"
"Exec" = "C:\Documents and Settings\maliphon\Start Menu\Programs\IMVU\Run IMVU.lnk" [file not found]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*i" (unwritable string)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"]
SonicStage SCSI Service, SSScsiSV, "C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe" ["Sony Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Dell J740 Port\Driver = "dlbjlmpm.DLL" [empty string]
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
hpzlnt06\Driver = "hpzlnt06.dll" ["HP"]
Lexmark Network Port\Driver = "lexlmpm.dll" ["Lexmark International, Inc."]
PDF995 Monitor\Driver = "pdf995mon.dll" [null data]
PrimoMon\Driver = "Primomonnt.dll" [null data]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 80 seconds.
---------- (total run time: 132 seconds)

Edited by mistaken, 03 March 2007 - 03:48 PM.

Seems that this forum is interesting

#7 mistaken

mistaken
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 03 March 2007 - 03:49 PM

Step #4 Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:49:43 AM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Hornet\MntrHrnt.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.servihoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Servihoo - Makes Life Easier
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Wanadoo Booster - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\Wanadoo Booster\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HornetMonitor] C:\Program Files\Common Files\Hornet\MntrHrnt.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?29b813fe739e404b86b6357a5000b115
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?29b813fe739e404b86b6357a5000b115
O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\MYTOOL~1\ZipScan\zs_ie.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\maliphon\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.arriva.mu
O17 - HKLM\Software\..\Telephony: DomainName = corp.arriva.mu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Seems that this forum is interesting

#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:09 PM

Posted 05 March 2007 - 03:10 PM

Hello there again.

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


Step #1: ATF Cleaner
Please download ATF Cleaner from the download link below and save it to your Desktop.
Download ATF Cleaner

Now follow these instructions to run ATF Cleaner:
1. Double-click ATF-Cleaner.exe to run the program.
2. Click once on the Main tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
3. Then click on the button labelled "Empty Selected".

If you use the Mozilla Firefox browser, please follow these instructions as well:
1. Click once on the Firefox tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser, please follow these instructions as well:
1. Click once on the Opera tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Now click the Exit button on the Main tab to exit the program.

Step #2: removing infected emails
You have received some infected emails that should be deleted from your computer.
Please perform these instructions to get rid of them:
1. Close all programs so that you have nothing open and are at the Desktop.
2. Launch your email application.
3. Look through the list of emails in your Inbox and delete all those that appear to be Mail Delivery failure or similar.
4. Empty your Deleted Items folder.

We will run some other scans later to make sure we get rid of all infected emails.

Step #3: registry fix
I want you to back up the registry, because we are going to make a few changes to it. To export the registry to a .reg file, please follow these steps:
1. Close all programs so that you have nothing open and are at the Desktop.
2. Go to Start > Run.
3. In the Run: field copy/paste the entire contents inside the QUOTE box below and press the OK button.

regedit /e registry.reg

Now a secure backup copy has been made, copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as remove.reg (save as type: All files) to the Desktop.
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}]
Go to the Desktop and double-click remove.reg. When prompted to merge its contents to the registry, click the Yes button.

Step #4: F-Secure Blacklight scan
Please download F-Secure Blacklight from the download link below.
Download F-Secure Blacklight

Once downloaded, move blbeta.exe into its own directory on the C: drive.

Now please perform these instructions to run F-Secure Blacklight:
1. Double-click on the blbeta.exe file to start F-Secure Blacklight.
2. In the upcoming screen, check the checkbox labelled "I accept the agreement" and press the Next button.
3. Next, press the Scan button.
4. Once the scanning procedure is done, click on the Next button, followed by clicking on the Exit button.
5. Navigate to the folder in which blbeta.exe is located using My Computer or Windows Explorer and open the Notepad file in it.
6. Post the entire contents of that log as a reply to this post.
NOTE: Do not fix anything with F-Secure Blacklight. Files found may be legitimate!

Step #5: Kaspersky Online Scanner
Please perform an online scan with Kaspersky Online Scanner (click).
Follow these instructions:
1. Click on the button labelled "Kaspersky Online Scanner".
2. You will be prompted to install an ActiveX component from Kaspersky. Install it.
3. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT.
4. Now click on "Scan Settings".
5. In the scan settings, make sure the following are selected:

Scan using the following Anti-Virus database:
Extended (if available, otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

6. Click OK.
7. Now under select a target to scan, select My Computer.

The program will start and scan your system.
NOTE: The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected. Click on the button labelled "Save as Text" and save a text file to your Desktop. Copy and paste that information in your next post.

Step #6: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.

In your first post, you said that your computer seems to be acting weird. Could you be more specific on the problems you are experiencing? So, what are the symptoms?
Please provide me some more information. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#9 mistaken

mistaken
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 07 March 2007 - 02:48 PM

I just reached Step#4 (I still need to do the 2 next Steps). Log of Step#4:

Step #4: F-Secure Blacklight scan

03/07/07 23:46:34 [Info]: BlackLight Engine 1.0.55 initialized
03/07/07 23:46:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/07/07 23:46:34 [Note]: 7019 4
03/07/07 23:46:34 [Note]: 7005 0
03/07/07 23:47:13 [Note]: 7006 0
03/07/07 23:47:13 [Note]: 7011 2168
03/07/07 23:47:13 [Note]: 7026 0
03/07/07 23:47:13 [Note]: 7026 0
03/07/07 23:47:29 [Note]: FSRAW library version 1.7.1021
03/07/07 23:56:39 [Note]: 2000 1012
03/07/07 23:57:15 [Note]: 7007 0

Edited by mistaken, 07 March 2007 - 02:51 PM.

Seems that this forum is interesting

#10 mistaken

mistaken
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 March 2007 - 03:28 PM

Step #5: Kaspersky Online Scanner

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 10, 2007 12:23:07 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/03/2007
Kaspersky Anti-Virus database records: 279825
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
H:\
W:\
X:\
Y:\

Scan Statistics:
Total number of scanned objects: 55610
Number of viruses found: 18
Number of infected objects: 57 / 0
Number of suspicious objects: 57
Duration of the scan process: 01:54:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02042007-171732.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0000.VBN/crack.exe Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0001.VBN/crack.exe Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0001.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0001.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09280000\4DE9CC8D.VBN Infected: Backdoor.Win32.VanBot.az skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A400000\4FC823CF.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780000\4FFF0798.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780001\4FFF0878.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780002\4FFF0888.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780003\4FFF089A.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780004\4FFF150B.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780005\4FFF151C.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B840000\4FCC64D2.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B840001\4FCC6510.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B840002\4FCC676F.VBN Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FD40000\4FF6BDB9.VBN Infected: Email-Worm.Win32.Warezov.ls skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\maliphon\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\maliphon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\maliphon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\maliphon\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F0C721B8-D3FB-4997-AFE7-EBEAACD3B9D6} Object is locked skipped
C:\Documents and Settings\maliphon\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\maliphon\Local Settings\History\History.IE5\MSHist012007030920070310\index.dat Object is locked skipped
C:\Documents and Settings\maliphon\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/15 Sep 2004 05:33 from lalitha@geodis.com.my:Status (plamy@ariva.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/04 Nov 2004 07:54 from ravi_aman@rediffmail.com:Mail Delivery (f.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/03 Nov 2004 12:30 from romesh@oeline.com:Mail Delivery (failure .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/06 Nov 2004 07:06 from ilsadel@vsnl.net:Mail Delivery (failure p.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/20 Nov 2004 08:41 from dany.appavoo@cargo.rogers.mu:Mail Deliver.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/20 Dec 2004 05:51 from Smith Barney:Smith Barney: Urgent Securit.rtf Infected: Trojan-Spy.HTML.Smitfraud.a skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/19 Dec 2004 20:01 from Smith Barney:URGENT SECURITY NOTICE.rtf Infected: Trojan-Spy.HTML.Smitfraud.c skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/29 Dec 2004 04:39 from praveen_bihani@ilsaonline.com:Mail Delive.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/30 Jan 2005 17:54 from Smith Barney:IMPORTANT INFORMATION: YOUR .rtf Infected: Trojan-Spy.HTML.Smitfraud.c skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/04 Mar 2005 07:39 from ganesh.kumar@schenker.com:Mail Delivery (.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/04 Mar 2005 07:39 from ganesh.kumar@schenker.com:Mail Delivery (/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/15 Mar 2005 04:34 from s_kapoor_cargo@hotmail.com:Mail Delivery .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/06 Apr 2005 09:17 from Mail Delivery System:Mail delivery failed.eml/[From ariva@ariva.mu][Date Wed, 6 Apr 2005 13:08:12 +0400]/UNNAMED/document.exe Infected: Net-Worm.Win32.Mytob.i skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/06 Apr 2005 09:17 from Mail Delivery System:Mail delivery failed.eml/[From ariva@ariva.mu][Date Wed, 6 Apr 2005 13:08:12 +0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.i skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/06 Apr 2005 09:17 from Mail Delivery System:Mail delivery failed.eml Infected: Net-Worm.Win32.Mytob.i skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/14 Apr 2005 05:05 from prijasus@yahoo.co.in:Mail Delivery (failu.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/13 Apr 2005 10:02 from System Administrator:Undeliverable: Mail /13 Apr 2005 10:47 from Percy Lamy:Mail Delivery (failure ravinde.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/21 Jun 2005 09:42 from babaexports155@yahoo.co.in:Mail Delivery .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/15 Jun 2005 13:01 from expertmaritime.dam@albarrak.com:Mail Deli.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/15 Jun 2005 10:58 from airogo@eth.net:Server Error (eoodman@ariv.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/10 Jun 2005 11:28 from dola_murali@in.nyklogistics.com:Delivery .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak/Personal Folders/Inbox/18 Jul 2005 10:45 from System Administrator:Undeliverable: Deliv/18 Jul 2005 10:44 from Edwards Oodoomansaib:Delivery Failed (.vi.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.bak Mail MS Mail: infected - 7, suspicious - 15 skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/18 Jul 2005 10:45 from System Administrator:Undeliverable: Deliv/18 Jul 2005 10:44 from Edwards Oodoomansaib:Delivery Failed (.vi.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/10 Jun 2005 11:28 from dola_murali@in.nyklogistics.com:Delivery .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/15 Sep 2004 05:33 from lalitha@geodis.com.my:Status (plamy@ariva.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/04 Nov 2004 07:54 from ravi_aman@rediffmail.com:Mail Delivery (f.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/03 Nov 2004 12:30 from romesh@oeline.com:Mail Delivery (failure .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/06 Nov 2004 07:06 from ilsadel@vsnl.net:Mail Delivery (failure p.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/20 Nov 2004 08:41 from dany.appavoo@cargo.rogers.mu:Mail Deliver.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/20 Dec 2004 05:51 from Smith Barney:Smith Barney: Urgent Securit.rtf Infected: Trojan-Spy.HTML.Smitfraud.a skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/19 Dec 2004 20:01 from Smith Barney:URGENT SECURITY NOTICE.rtf Infected: Trojan-Spy.HTML.Smitfraud.c skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/29 Dec 2004 04:39 from praveen_bihani@ilsaonline.com:Mail Delive.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/30 Jan 2005 17:54 from Smith Barney:IMPORTANT INFORMATION: YOUR .rtf Infected: Trojan-Spy.HTML.Smitfraud.c skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/04 Mar 2005 07:39 from ganesh.kumar@schenker.com:Mail Delivery (.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/15 Mar 2005 04:34 from s_kapoor_cargo@hotmail.com:Mail Delivery .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/06 Apr 2005 09:17 from Mail Delivery System:Mail delivery failed.eml/[From ariva@ariva.mu][Date Wed, 6 Apr 2005 13:08:12 +0400]/UNNAMED/document.exe Infected: Net-Worm.Win32.Mytob.i skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/06 Apr 2005 09:17 from Mail Delivery System:Mail delivery failed.eml/[From ariva@ariva.mu][Date Wed, 6 Apr 2005 13:08:12 +0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.i skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/06 Apr 2005 09:17 from Mail Delivery System:Mail delivery failed.eml Infected: Net-Worm.Win32.Mytob.i skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/14 Apr 2005 05:05 from prijasus@yahoo.co.in:Mail Delivery (failu.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/13 Apr 2005 10:02 from System Administrator:Undeliverable: Mail /13 Apr 2005 10:47 from Percy Lamy:Mail Delivery (failure ravinde.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/21 Jun 2005 09:42 from babaexports155@yahoo.co.in:Mail Delivery .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/15 Jun 2005 13:01 from expertmaritime.dam@albarrak.com:Mail Deli.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst/Personal Folders/Inbox/15 Jun 2005 10:58 from airogo@eth.net:Server Error (eoodman@ariv.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\myrella.pst Mail MS Mail: infected - 6, suspicious - 15 skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Office email.pst/Office email/Inbox/28 Nov 2005 06:44 from ijay@ewfcpl.com:Mail Delivery (failure sm.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Office email.pst Mail MS Mail: suspicious - 1 skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Deleted Items/05 Dec 2005 19:41 from cornerstone@yansang.com:Mail Delivery (fa.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Deleted Items/12 Oct 2005 03:51 from /alex@pro.ro:Mail Delivery (failure ariva.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Deleted Items/15 Oct 2005 07:54 from 02440@poletopoleshipping.net:Mail Deliver.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Deleted Items/24 Oct 2005 11:32 from 4177@mail.fz.fj.cn:Mail Delivery (failure.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/18 Aug 2005 05:54 from linkscochin@linksin.com:Mail Delivery (fa.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/27 Aug 2005 12:19 from Mail Delivery System:Mail delivery failed.eml/[From maliphon@ariva.mu][Date Sat, 27 Aug 2005 16:52:37 +0430]/UNNAMED/doc01.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/27 Aug 2005 12:19 from Mail Delivery System:Mail delivery failed.eml/[From maliphon@ariva.mu][Date Sat, 27 Aug 2005 16:52:37 +0430]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/27 Aug 2005 12:19 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/30 Sep 2005 06:14 from monish@ilsaonline.co0:Mail Delivery (fail.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/27 Oct 2005 10:21 from hyyu@bigfoot.com:Mail Delivery (failure a.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/27 Oct 2005 02:14 from zenaida.revilla@tpc.steniel.com.ph:Mail D.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/26 Oct 2005 14:43 from eBay Inc:EBAY: CLIENT'S DATA VERIFICATION.html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/26 Oct 2005 14:43 from eBay Inc:EBAY: CLIENT'S DATA VERIFICATION.rtf Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/21 Oct 2005 07:54 from ariv@zipmail.com.br:Mail Delivery (failur.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/20 Oct 2005 02:34 from ariv@btv.lt:Mail Delivery (failure ariva@.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/19 Oct 2005 05:05 from ariva001@student.ucr.edu:Mail Delivery (f.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/18 Oct 2005 09:33 from sumeet@spickglobal.net:Mail Delivery (fai.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/18 Oct 2005 04:15 from ariv@angelfire.com:Mail Delivery (failure.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/14 Oct 2005 01:57 from ariv14@nus.edu.sg:Mail Delivery (failure .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/13 Oct 2005 05:47 from midu7@hotmail.com:Mail Delivery (failure .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/11 Oct 2005 05:42 from rkap@rediffmail.com:Mail Delivery (failur.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/10 Oct 2005 04:24 from omindustries2003@yahoo.com:Mail Delivery .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/10 Oct 2005 03:13 from ariv@nemic.co.il:Mail Delivery (failure a.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/09 Oct 2005 02:55 from ariv@terra.com.br:Mail Delivery (failure .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/08 Oct 2005 03:06 from awu@asmortgage.com:Mail Delivery (failure.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/07 Oct 2005 04:57 from sunil@transcorprint.com:Mail Delivery (fa.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/07 Oct 2005 04:11 from ariva@adoabasteci.com.mx:Mail Delivery (f.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml/[From smatadeen@ariva.mu][Date Sat, 1 Jan 2000 05:56:18 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml/[From smatadeen@ariva.mu][Date Sat, 1 Jan 2000 05:56:18 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml/[From smatadeen@ariva.mu][Date Sat, 1 Jan 2000 05:56:18 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml/[From smatadeen@ariva.mu][Date Sat, 1 Jan 2000 05:56:18 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst/Personal Folders 2005/Inbox 2005/23 Nov 2005 04:49 from hema@transways.com.my:Delivery Failure (p.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\maliphon\My Documents\outlook\Users.pst Mail MS Mail: infected - 8, suspicious - 25 skipped
C:\Documents and Settings\maliphon\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\maliphon\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Download Pics\New Wallpapers\Cool Wallpapers\Le Tireur.jpg Object is locked skipped
C:\Download Pics\New Wallpapers\Cool Wallpapers\Neo Bullets.jpg Object is locked skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0045.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0046.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0047.BIN/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0047.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0047.BIN/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0047.BIN/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.370 skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0047.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0047.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0047.BIN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe/WISE0048.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe WiseSFX: infected - 10 skipped
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe WiseSFX Dropper: infected - 10 skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\filesubmit\ghostofmany.zip\atoolbar400134.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Program Files\filesubmit\ghostofmany.zip\atoolbar400134.exe WiseSFX: infected - 1 skipped
C:\Program Files\filesubmit\ghostofmany.zip\atoolbar400134.exe WiseSFX Dropper: infected - 1 skipped
C:\Program Files\iFinger\README.TXT Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0703NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0990NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{21663E27-2BE8-45CE-8EF5-AEA30E256767}\RP20\change.log Object is locked skipped
C:\WINDOWS\bthservsdp.dat Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
Seems that this forum is interesting

#11 mistaken

mistaken
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 March 2007 - 03:30 PM

Step #6: HijackThis scan

Logfile of HijackThis v1.99.1
Scan saved at 12:37:45 AM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Hornet\MntrHrnt.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.servihoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Servihoo - Makes Life Easier
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Wanadoo Booster - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\Wanadoo Booster\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HornetMonitor] C:\Program Files\Common Files\Hornet\MntrHrnt.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?29b813fe739e404b86b6357a5000b115
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?29b813fe739e404b86b6357a5000b115
O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\MYTOOL~1\ZipScan\zs_ie.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\maliphon\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.arriva.mu
O17 - HKLM\Software\..\Telephony: DomainName = corp.arriva.mu
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C7ED6FE-34A3-4BF0-91D5-993B2B2772EF}: NameServer = 202.123.2.6 202.123.2.11
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Seems that this forum is interesting

#12 mistaken

mistaken
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 March 2007 - 03:40 PM

sory, I had to made several replies due to lack of space in 1 single post.

Yes now, To reply to ur question about my computer acting weird:

In fact, My Pc was supposed to be in good condition (no virus etc.. .), but I had noticed that more and more "unknown processes" were wanting to get internet access (askin sygate Firewall) everytime.

And then also, I began getting more and more errors (like irc error, or buffer error I think etc. . .), "bizarre errors!".
So, I was wonderin if my computer had not got Infected by some viruses. (It is after time, that is, now that I realize that it got really infected).

But All these Previous Errors R now gone, probably with many scans.
Seems that this forum is interesting

#13 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:09 PM

Posted 11 March 2007 - 04:45 AM

Hello there again.

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: SmitFraudFix
You may have a SmitFraud infection. Download SmitFraudFix by S!Ri to search for SmitFraud-related files.
Download SmitfraudFix.zip

Once downloaded, extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
Select option #1 - Search by typing 1 and press Enter; a text file will appear which lists infected files (if present).
Please copy/paste the entire contents of that report into your next reply.

NOTE: Process.exe is detected by some antivirus programs (AntiVir, Dr.WEB, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Step #2: deletion of infected emails
You have received some infected emails that should be deleted from your computer. Although these emails aren't really doing any harm as long as they or the infected attachments are not opened, it is an important job getting rid of them to guard against accidental infection. The Kaspersky log shows you have different sets of personal folders and which Inboxes contain infected emails.

Launch Outlook and have a good look for the emails listed below and delete them.

In myrella's Inbox:
18 Jul 2005 10:45 from System Administrator:Undeliverable: Deliv/18 Jul 2005 10:44 from Edwards Oodoomansaib:Delivery Failed (.vi.rtf
10 Jun 2005 11:28 from dola_murali@in.nyklogistics.com:Delivery .rtf
15 Sep 2004 05:33 from lalitha@geodis.com.my:Status (plamy@ariva.rtf
04 Nov 2004 07:54 from ravi_aman@rediffmail.com:Mail Delivery (f.rtf
03 Nov 2004 12:30 from romesh@oeline.com:Mail Delivery (failure .rtf
06 Nov 2004 07:06 from ilsadel@vsnl.net:Mail Delivery (failure p.rtf
20 Nov 2004 08:41 from dany.appavoo@cargo.rogers.mu:Mail Deliver.rtf
20 Dec 2004 05:51 from Smith Barney:Smith Barney: Urgent Securit.rtf
19 Dec 2004 20:01 from Smith Barney:URGENT SECURITY NOTICE.rtf
29 Dec 2004 04:39 from praveen_bihani@ilsaonline.com:Mail Delive.rtf
30 Jan 2005 17:54 from Smith Barney:IMPORTANT INFORMATION: YOUR .rtf
04 Mar 2005 07:39 from ganesh.kumar@schenker.com:Mail Delivery (.rtf
15 Mar 2005 04:34 from s_kapoor_cargo@hotmail.com:Mail Delivery .rtf
06 Apr 2005 09:17 from Mail Delivery System:Mail delivery failed.eml/[From ariva@ariva.mu][Date Wed, 6 Apr 2005 13:08:12 +0400]/UNNAMED/document.exe
06 Apr 2005 09:17 from Mail Delivery System:Mail delivery failed.eml/[From ariva@ariva.mu][Date Wed, 6 Apr 2005 13:08:12 +0400]/UNNAMED
06 Apr 2005 09:17 from Mail Delivery System:Mail delivery failed.eml
14 Apr 2005 05:05 from prijasus@yahoo.co.in:Mail Delivery (failu.rtf
13 Apr 2005 10:02 from System Administrator:Undeliverable: Mail /13 Apr 2005 10:47 from Percy Lamy:Mail Delivery (failure ravinde.rtf
21 Jun 2005 09:42 from babaexports155@yahoo.co.in:Mail Delivery .rtf
15 Jun 2005 13:01 from expertmaritime.dam@albarrak.com:Mail Deli.rtf
15 Jun 2005 10:58 from airogo@eth.net:Server Error (eoodman@ariv.rtf


In your Office email Inbox:
28 Nov 2005 06:44 from ijay@ewfcpl.com:Mail Delivery (failure sm.rtf

In your Users/Personal Folders 2005/Inbox 2005:
18 Aug 2005 05:54 from linkscochin@linksin.com:Mail Delivery (fa.rtf
27 Aug 2005 12:19 from Mail Delivery System:Mail delivery failed.eml/[From maliphon@ariva.mu][Date Sat, 27 Aug 2005 16:52:37 +0430]/UNNAMED/doc01.doc.exe
27 Aug 2005 12:19 from Mail Delivery System:Mail delivery failed.eml/[From maliphon@ariva.mu][Date Sat, 27 Aug 2005 16:52:37 +0430]/UNNAMED
27 Aug 2005 12:19 from Mail Delivery System:Mail delivery failed.eml
30 Sep 2005 06:14 from monish@ilsaonline.co0:Mail Delivery (fail.rtf
27 Oct 2005 10:21 from hyyu@bigfoot.com:Mail Delivery (failure a.rtf
27 Oct 2005 02:14 from zenaida.revilla@tpc.steniel.com.ph:Mail D.rtf
26 Oct 2005 14:43 from eBay Inc:EBAY: CLIENT'S DATA VERIFICATION.html
26 Oct 2005 14:43 from eBay Inc:EBAY: CLIENT'S DATA VERIFICATION.rtf
21 Oct 2005 07:54 from ariv@zipmail.com.br:Mail Delivery (failur.rtf
20 Oct 2005 02:34 from ariv@btv.lt:Mail Delivery (failure ariva@.rtf
19 Oct 2005 05:05 from ariva001@student.ucr.edu:Mail Delivery (f.rtf
18 Oct 2005 09:33 from sumeet@spickglobal.net:Mail Delivery (fai.rtf
18 Oct 2005 04:15 from ariv@angelfire.com:Mail Delivery (failure.rtf
14 Oct 2005 01:57 from ariv14@nus.edu.sg:Mail Delivery (failure .rtf
13 Oct 2005 05:47 from midu7@hotmail.com:Mail Delivery (failure .rtf
11 Oct 2005 05:42 from rkap@rediffmail.com:Mail Delivery (failur.rtf
10 Oct 2005 04:24 from omindustries2003@yahoo.com:Mail Delivery .rtf
10 Oct 2005 03:13 from ariv@nemic.co.il:Mail Delivery (failure a.rtf
09 Oct 2005 02:55 from ariv@terra.com.br:Mail Delivery (failure .rtf
08 Oct 2005 03:06 from awu@asmortgage.com:Mail Delivery (failure.rtf
07 Oct 2005 04:57 from sunil@transcorprint.com:Mail Delivery (fa.rtf
07 Oct 2005 04:11 from ariva@adoabasteci.com.mx:Mail Delivery (f.rtf
19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml/[From smatadeen@ariva.mu][Date Sat, 1 Jan 2000 05:56:18 +0530]/UNNAMED/UNNAMED/html
19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml/[From smatadeen@ariva.mu][Date Sat, 1 Jan 2000 05:56:18 +0530]/UNNAMED/UNNAMED
19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml/[From smatadeen@ariva.mu][Date Sat, 1 Jan 2000 05:56:18 +0530]/UNNAMED/message.scr
19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml/[From smatadeen@ariva.mu][Date Sat, 1 Jan 2000 05:56:18 +0530]/UNNAMED
19 Nov 2005 10:18 from Mail Delivery System:Mail delivery failed.eml
23 Nov 2005 04:49 from hema@transways.com.my:Delivery Failure (p.rtf


Then open each of your Deleted Items folders and empty the folder to finally delete the dangerous emails.

Step #3: file/folder deletion
First enable the viewing of hidden files in Windows XP by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following files (do not be concerned if they do not exist):
C:\Downloads\Christian Download\Previous\3dfallingleavesfree.exe
C:\Program Files\filesubmit\ghostofmany.zip\atoolbar400134.exe

Reboot your computer to boot back into normal mode.

Step #4: Dr.WEB CureIt!
Download Dr.WEB CureIt! to your Desktop by clicking the download link below.
Download Dr.WEB CureIt!

Once downloaded, double-click the cureit.exe file to launch the program. Please follow these instructions to run Dr.WEB CureIt!:
1. Once launched, click once on the Start link. Click the OK button on the confirmation window to allow the express scan to run.
NOTE: This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
2. Once the scan has finished, click Options > Change settings.
3. Click once on the Scan tab (if not already selected) and remove the checkmark from the checkbox labelled "Heuristic analysis".
4. Click the Apply button, followed by clicking the OK button to return back to the main window.
5. Back at the main window, mark the drives you want to scan by clicking on them. Select all drives. A red dot shows which drives have been chosen.
6. Click the green arrow at the right to start the scan. Click the button labelled "Yes to all" if it asks if you want to cure/move the file.

When the scan has finished, look if you can click the Posted Image icon next to the files found. If so, click it and then click the icon below and select the option labelled "Move incurable" (as you can see in the image below):
Posted Image
This will move the files to the %userprofile%\DoctorWeb\quarantaine-folder if they cannot be cured. (This in case if we need samples.)

Now follow these instructions to generate a report for review:
1. In the Dr.WEB CureIt! menu on top, click File and choose the option labelled "Save report list".
2. Save the report to your Desktop. The report will be called DrWeb.csv.
3. Close Dr.WEB CureIt!.
4. Reboot your computer after closing, because it could be possible that files in use will be moved/deleted during reboot.
5. After reboot, post the contents of the log from Dr.WEB CureIt! you saved previously in your next reply.

Step #5: findfiles.bat
I have attached a file called findfiles.bat.
Please download it and save the file to your Desktop.
Attached File  findfiles.bat   81bytes   10 downloads
Now go to the Desktop and double-click findfiles.bat. Notepad will now open up with the results (some text and numbers). Copy the entire contents of that file and post them here as a reply to this post.

Step #6: findfiles2.bat
I have attached a file called findfiles2.bat.
Please download it and save the file to your Desktop.
Attached File  findfiles2.bat   68bytes   8 downloads
Now go to the Desktop and double-click findfiles2.bat. Notepad will now open up with the results (some text and numbers). Copy the entire contents of that file and post them here as a reply to this post.

Step #7: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#14 mistaken

mistaken
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 11 March 2007 - 04:28 PM

Step #1: SmitFraudFix

SmitFraudFix v2.148

Scan done at 1:38:00.45, Mon 03/12/2007
Run from C:\Documents and Settings\maliphon\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\maliphon


C:\Documents and Settings\maliphon\Application Data


Start Menu


C:\DOCUME~1\maliphon\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32


Scanning wininet.dll infection


End
Seems that this forum is interesting

#15 mistaken

mistaken
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 11 March 2007 - 07:14 PM

Step #4: Dr.WEB CureIt!

Here is the Log:

Process.exe;C:\Documents and Settings\maliphon\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\maliphon\Desktop\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;

Yes! I am sory, but I did not Apply any cure as you said to me to these Listed Processes.
This is because you told me that "Process.exe" was not a virus.

If, I should hav Applied the cure Here by re-running another scan, please tell me. Thanx.

Edited by mistaken, 11 March 2007 - 07:16 PM.

Seems that this forum is interesting




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users