Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud Popups


  • This topic is locked This topic is locked
14 replies to this topic

#1 madprof

madprof

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 12 July 2007 - 04:54 PM

I cannot get rid of Smitfraud on my old laptop. Smitfraud-fix gets to registry clean-up and then gives an "error accessing the registry" message. I also tried ComboFix. I will post both logs. Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:25:01 PM, on 7/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\COMMON~1\iiwf\iiwfm.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\iiwf\iiwfa.exe
C:\Documents and Settings\cchandon\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\cchandon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=www-proxy.us.oracle.com:80;gopher=www-proxy.us.oracle.com:80;http=www-proxy.us.oracle.com:80;https=www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.oraclecorp.com;*.oracleportal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D6E68F4-A76D-FCCA-1A66-828DB82C8198} - C:\WINNT\system32\urwecqnj.dll (file missing)
O2 - BHO: (no name) - {2B40C92D-04BD-0D14-C33B-270790AFED9D} - C:\WINNT\system32\stc.dll (file missing)
O2 - BHO: (no name) - {35E698E4-5052-76AE-776C-0BB21A6B8AB1} - C:\WINNT\system32\zdszxxnx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKCU\..\Run: [Annb] "C:\WINNT\DOBE~1\explorer.exe" -vt yazr
O4 - HKCU\..\Run: [iiwf] C:\PROGRA~1\COMMON~1\iiwf\iiwfm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\cchandon\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.oracle.com
O15 - Trusted Zone: *.oracleads.com
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - https://strtc.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://qapache.us.oracle.com:27560/OA_HTML/oajinit.exe
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://ap6164rt.us.oracle.com:8001/OA_HTML/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - C:\WINNT\orclobi\PCTKRNT.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe


Here is the ComboFix report:

"cchandon" - 07/12/2007 17:13:37 - ComboFix 07-07-13 - Service Pack 4 FAT32


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\39431771.exe
C:\Program Files\Common Files\{2B1E0~1
C:\Program Files\Common Files\{2B1E0~1\system.dll
C:\Program Files\Common Files\{2B1E0~1\Update.exe
C:\Program Files\Common Files\{2B1E0~2
C:\Program Files\Common Files\{2B1E0~2\system.dll
C:\Program Files\Common Files\{2B1E0~2\Update.exe
C:\Program Files\Common Files\{2B1E0~3
C:\Program Files\Common Files\{2B1E0~3\system.dll
C:\Program Files\Common Files\{2B1E0~3\Update.exe
C:\Program Files\Common Files\{2B1E0~4
C:\Program Files\Common Files\{2B1E0~4\system.dll
C:\Program Files\Common Files\{2B1E0~4\Update.exe
C:\Program Files\Common Files\{3B1E0~1
C:\Program Files\Common Files\{3B1E0~1\Bar888.dll
C:\Program Files\Common Files\{3B1E0~1\UnInstall.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\temp\tn3
C:\WINNT\dobe~1
C:\WINNT\dobe~1\explorer.exe
C:\WINNT\DOWNLO~1.\Oracle
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\console.exe
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\conuienu.dll
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\cubert.dll
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\dsdd.dll
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\dsdd.in_
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\dsengine.dll
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\dsgrab.dll
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\dshook.dll
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\dsload.sys
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\dspcube.dll
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\dsvideo.sys
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\gdihk16.dll
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\instctrl.dll
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\language.xml
C:\WINNT\DOWNLO~1.\Oracle\iMeeting\01c37306d7e307d0\setup.exe
C:\WINNT\DOWNLO~1\cnsload-3.0.1.351.dll
C:\WINNT\DOWNLO~1\cnsload-3.0.1.355.dll
C:\WINNT\DOWNLO~1\cnsload-3.0.1.356.dll
C:\WINNT\DOWNLO~1\cnsload-3.0.1.357.dll
C:\WINNT\DOWNLO~1\cnsload-3.0.3.406.dll
C:\WINNT\DOWNLO~1\cnsload.inf
C:\WINNT\DOWNLO~1\Oracle\iMeeting\01c37306d7e307d0\cnsproxy.exe
C:\WINNT\system32\glmkbixz.dll
C:\WINNT\system32\wnsapiicom.exe
C:\WINNT\system32\wnsapisv.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-06-12 to 2007-07-12 )))))))))))))))))))))))))))))))


2007-07-12 17:12 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-12 16:54 <DIR> d-------- C:\VundoFix Backups
2007-07-12 16:15 53,248 --a------ C:\WINNT\system32\Process.exe
2007-07-12 16:15 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-07-12 16:15 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-07-12 16:04 <DIR> d-------- C:\DOCUME~1\cchandon\APPLIC~1\WinTouch
2007-07-12 15:21 <DIR> d-------- C:\WINNT\ERUNT
2007-06-23 22:21 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-23 21:04 4,310 --a------ C:\WINNT\system32\tmp.reg
2007-06-23 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-21 10:32 17,801 --a------ C:\WINNT\system32\drivers\AegisP.sys
2007-06-21 10:31 73,728 --a------ C:\WINNT\system32\AW32n50.dll
2007-06-21 10:31 449,888 --a------ C:\WINNT\system32\drivers\wg511nd5.sys
2007-06-21 10:31 221,184 --a------ C:\WINNT\Unin511T.exe
2007-06-21 10:31 221,184 --a------ C:\WINNT\Inst511T.exe
2007-06-21 10:31 16,194 --a------ C:\WINNT\system32\AWINDIS5.SYS


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 21:59:36 36,570 ----a-w C:\WINNT\nsreg.dat
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2004-08-13 13:04:22 6,206,202 ----a-w C:\Program Files\iagent-4.5-amer.exe
2002-12-03 18:03:06 11,001 ----a-w C:\Program Files\INSTALL.LOG
2000-12-18 10:29:12 271 ---h--w C:\Program Files\desktop.ini
2000-12-18 10:29:12 21,952 ---h--w C:\Program Files\folder.htt
2005-08-02 20:46:54 187,904 --sha-r C:\WINNT\Q2hhcmxlbmUgQ2hhbmRvbmlh\asappsrv.dll
2005-08-02 20:58:38 293,888 --sha-r C:\WINNT\Q2hhcmxlbmUgQ2hhbmRvbmlh\command.exe
2005-07-29 20:24:26 472 --sha-r C:\WINNT\Q2hhcmxlbmUgQ2hhbmRvbmlh\kZ11wAU5vAo0kZ11vAlSvA51.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
01-03-02 15:02 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D6E68F4-A76D-FCCA-1A66-828DB82C8198}]
C:\WINNT\system32\urwecqnj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B40C92D-04BD-0D14-C33B-270790AFED9D}]
C:\WINNT\system32\stc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35E698E4-5052-76AE-776C-0BB21A6B8AB1}]
C:\WINNT\system32\zdszxxnx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
05-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
05-11-10 13:22 184423 --a------ C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
07-01-19 23:55 2403392 -ra------ c:\winnt\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\system32\mobsync.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [02-07-30 14:35 ]
"ATIModeChange"="Ati2mdxx.exe" [01-09-04 13:24 C:\WINNT\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [01-11-21 12:26 C:\WINNT\system32\atiptaxx.exe]
"PCTVOICE"="pctspk.exe" [02-10-11 00:37 C:\WINNT\system32\pctspk.exe]
"Zone Labs Client"="C:\Program Files\Zone Labs\Integrity Client\iclient.exe" [04-04-21 04:40 ]
"Tweak UI"="TWEAKUI.CPL" [00-11-30 07:19 C:\WINNT\system32\TWEAKUI.CPL]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-06-02 09:12 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 13:03 ]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [06-01-20 14:14 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Annb"="C:\WINNT\DOBE~1\explorer.exe" []
"iiwf"="C:\PROGRA~1\COMMON~1\iiwf\iiwfm.exe" [06-07-19 14:56 ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [07-02-16 07:35 ]
"WinTouch"="C:\Documents and Settings\cchandon\Application Data\WinTouch\WinTouch.exe" [07-07-12 16:05 ]
"SfKg6w"="C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe" [07-07-12 16:05 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll --a------ 02-02-15 13:51 24638 C:\WINNT\system32\PCANotify.dll

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-12 17:18:41
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-12 17:20:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-12 17:20

--- E O F ---

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 23 July 2007 - 08:18 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:
Preparation Guide For Use Before Posting A Hijackthis Log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 madprof

madprof
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 23 July 2007 - 06:20 PM

Still having popup problems. Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 7:20:05 PM, on 7/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\COMMON~1\iiwf\iiwfm.exe
C:\Documents and Settings\cchandon\Application Data\WinTouch\WinTouch.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\cchandon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Charlene/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=www-proxy.us.oracle.com:80;gopher=www-proxy.us.oracle.com:80;http=www-proxy.us.oracle.com:80;https=www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.oraclecorp.com;*.oracleportal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D6E68F4-A76D-FCCA-1A66-828DB82C8198} - C:\WINNT\system32\urwecqnj.dll (file missing)
O2 - BHO: (no name) - {2B40C92D-04BD-0D14-C33B-270790AFED9D} - C:\WINNT\system32\stc.dll (file missing)
O2 - BHO: (no name) - {35E698E4-5052-76AE-776C-0BB21A6B8AB1} - C:\WINNT\system32\zdszxxnx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKCU\..\Run: [Annb] "C:\WINNT\DOBE~1\explorer.exe" -vt yazr
O4 - HKCU\..\Run: [iiwf] C:\PROGRA~1\COMMON~1\iiwf\iiwfm.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\cchandon\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.oracle.com
O15 - Trusted Zone: *.oracleads.com
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - https://strtc.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://qapache.us.oracle.com:27560/OA_HTML/oajinit.exe
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://ap6164rt.us.oracle.com:8001/OA_HTML/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - C:\WINNT\orclobi\PCTKRNT.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 24 July 2007 - 04:13 AM

Hi there,
Please move HijackThis to a permanent folder. Anywhere is fine, other than your Desktop or a temporary folder. If it is in one of these locations, there is a risk that you may accidentally delete the backups; which may be needed if we fix something we're not meant to.
If you use Windows XP it may be that you just double clicked on the HijackThis.exe file, but this only extracts the file to a temporary folder. If you right click on it and select Extract, you can choose a folder to place it in.

How to make a permanent folder:
Click Start | My Computer | Local Disk (C: ) | Program Files.
In the menu bar at the top, go to File | New | Folder.
That will create a folder named "New Folder", which you can rename to "HijackThis". You have now created C:\Program Files\HijackThis.
Now get your HijackThis.exe file and place it in your folder.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1, and press Enter.
A text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply with a new HJT log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 madprof

madprof
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 24 July 2007 - 07:48 AM

Here is that report:

SmitFraudFix v2.195

Scan done at 8:48:48.45, Tue 07/24/2007
Run from C:\Documents and Settings\cchandon\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\COMMON~1\iiwf\iiwfm.exe
C:\Documents and Settings\cchandon\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe

hosts


C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\cchandon


C:\Documents and Settings\cchandon\Application Data


Start Menu


C:\DOCUME~1\cchandon\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: 3Com EtherLink PCI
DNS Server Search Order: 68.238.112.12
DNS Server Search Order: 68.238.96.12

Description: NETGEAR 108 Mbps Wireless PC Card WG511T
DNS Server Search Order: 172.16.0.1

Description: NETGEAR 108 Mbps Wireless PC Card WG511T
DNS Server Search Order: 216.37.64.2
DNS Server Search Order: 216.37.64.3

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2A5D94A2-4556-4F72-8FAF-C6FBA54A31C9}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3164BCE4-BACC-4300-B22F-CE0429ACD2A7}: DhcpNameServer=216.37.64.2 216.37.64.3
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8D19026B-472D-4758-A364-D4C0DE199DE1}: DhcpNameServer=68.238.112.12 68.238.96.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E23D25B3-E602-4D6C-9530-2AE9E98224F8}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8D19026B-472D-4758-A364-D4C0DE199DE1}: DhcpNameServer=66.80.130.23 66.80.131.5
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E23D25B3-E602-4D6C-9530-2AE9E98224F8}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2A5D94A2-4556-4F72-8FAF-C6FBA54A31C9}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3164BCE4-BACC-4300-B22F-CE0429ACD2A7}: DhcpNameServer=216.37.64.2 216.37.64.3
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8D19026B-472D-4758-A364-D4C0DE199DE1}: DhcpNameServer=68.238.112.12 68.238.96.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E23D25B3-E602-4D6C-9530-2AE9E98224F8}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.238.112.12 68.238.96.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.80.130.23 66.80.131.5
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.238.112.12 68.238.96.12


Scanning for wininet.dll infection


End

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 24 July 2007 - 11:42 AM

Can I have a HijackThis log too, please?
What makes you think you're infected with Smitfraud?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 madprof

madprof
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 24 July 2007 - 09:38 PM

Sorry I am taking so long to respond. I only use this laptop when we're traveling. When I first posted a HijackThis log (weeks ago), I kept getting popups, and Spybot said it was infected with Smitfraud but could not delete it. That's why I posted. After trying many other things, I no longer get the Smitfraud message. But I still do get some popups (ads, mostly for registry cleaners) when I first go to IE after rebooting.

Here's the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:36:45 PM, on 7/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\COMMON~1\iiwf\iiwfm.exe
C:\Documents and Settings\cchandon\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe
C:\PROGRA~1\COMMON~1\iiwf\iiwfa.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Charlene/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=www-proxy.us.oracle.com:80;gopher=www-proxy.us.oracle.com:80;http=www-proxy.us.oracle.com:80;https=www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.oraclecorp.com;*.oracleportal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D6E68F4-A76D-FCCA-1A66-828DB82C8198} - C:\WINNT\system32\urwecqnj.dll (file missing)
O2 - BHO: (no name) - {2B40C92D-04BD-0D14-C33B-270790AFED9D} - C:\WINNT\system32\stc.dll (file missing)
O2 - BHO: (no name) - {35E698E4-5052-76AE-776C-0BB21A6B8AB1} - C:\WINNT\system32\zdszxxnx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKCU\..\Run: [Annb] "C:\WINNT\DOBE~1\explorer.exe" -vt yazr
O4 - HKCU\..\Run: [iiwf] C:\PROGRA~1\COMMON~1\iiwf\iiwfm.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\cchandon\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.oracle.com
O15 - Trusted Zone: *.oracleads.com
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - https://strtc.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://qapache.us.oracle.com:27560/OA_HTML/oajinit.exe
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://ap6164rt.us.oracle.com:8001/OA_HTML/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - C:\WINNT\orclobi\PCTKRNT.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 25 July 2007 - 03:33 AM

Hello there, don't worry about taking a while to respond.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

I see you have Viewpoint installed:
Viewpoint Manager is considered to be foistware rather than malware, since it is installed without your approval but doesn't actually spy or do anything "bad". This will soon change, according to this article, which you may want to read: http://www.clickz.com/news/article.php/3561546
I recommend that you remove the Viewpoint products. If you do decide to get rid of it, please remove all references to Viewpoint from Add/Remove Programs.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Charlene/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {1D6E68F4-A76D-FCCA-1A66-828DB82C8198} - C:\WINNT\system32\urwecqnj.dll (file missing)
O2 - BHO: (no name) - {2B40C92D-04BD-0D14-C33B-270790AFED9D} - C:\WINNT\system32\stc.dll (file missing)
O2 - BHO: (no name) - {35E698E4-5052-76AE-776C-0BB21A6B8AB1} - C:\WINNT\system32\zdszxxnx.dll (file missing)
O4 - HKCU\..\Run: [Annb] "C:\WINNT\DOBE~1\explorer.exe" -vt yazr
O4 - HKCU\..\Run: [iiwf] C:\PROGRA~1\COMMON~1\iiwf\iiwfm.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\cchandon\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following folders (if present):

C:\Program Files\Common Files\iiwf
C:\Documents and Settings\cchandon\Application Data\WinTouch

And also the following file:

C:\Documents and Settings\cchandon\Application Data\Microsoft\ccusgv.exe

Reboot into Normal Mode again.

Since you ran Combofix before, please scan with it once more and post its report in your next reply along with a brand new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 madprof

madprof
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 29 July 2007 - 08:01 PM

Sorry it took so very long to follow up on this. I had to get back home to be sure I got this done right. I completed each of the steps you outlined. Here is the latest Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:50 PM, on 7/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=www-proxy.us.oracle.com:80;gopher=www-proxy.us.oracle.com:80;http=www-proxy.us.oracle.com:80;https=www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.oraclecorp.com;*.oracleportal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.oracle.com
O15 - Trusted Zone: *.oracleads.com
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - https://strtc.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://qapache.us.oracle.com:27560/OA_HTML/oajinit.exe
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://ap6164rt.us.oracle.com:8001/OA_HTML/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINNT\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - C:\WINNT\orclobi\PCTKRNT.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

Here is the log from ComboFix:

"cchandon" - 07/29/2007 18:07:56 - ComboFix 07-07-13 - Service Pack 4 FAT32


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))


2007-07-29 18:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_368.dat
2007-07-26 09:28 <DIR> d-------- C:\WINNT\.jagex_cache_32
2007-07-24 08:47 <DIR> d-------- C:\Program Files\Hijack This
2007-07-15 11:32 <DIR> d-------- C:\WINNT\system32\appmgmt
2007-07-12 17:12 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-12 16:54 <DIR> d-------- C:\VundoFix Backups
2007-07-12 16:15 53,248 --a------ C:\WINNT\system32\Process.exe
2007-07-12 16:15 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-07-12 16:15 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-07-12 15:21 <DIR> d-------- C:\WINNT\ERUNT
2007-06-23 22:21 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-23 21:04 2,214 --a------ C:\WINNT\system32\tmp.reg
2007-06-23 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-21 10:32 17,801 --a------ C:\WINNT\system32\drivers\AegisP.sys
2007-06-21 10:31 73,728 --a------ C:\WINNT\system32\AW32n50.dll
2007-06-21 10:31 449,888 --a------ C:\WINNT\system32\drivers\wg511nd5.sys
2007-06-21 10:31 221,184 --a------ C:\WINNT\Unin511T.exe
2007-06-21 10:31 221,184 --a------ C:\WINNT\Inst511T.exe
2007-06-21 10:31 16,194 --a------ C:\WINNT\system32\AWINDIS5.SYS


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-26 13:25:40 36,570 ----a-w C:\WINNT\nsreg.dat
2004-08-13 13:04:22 6,206,202 ----a-w C:\Program Files\iagent-4.5-amer.exe
2002-12-03 18:03:06 11,001 ----a-w C:\Program Files\INSTALL.LOG
2000-12-18 10:29:12 271 ---h--w C:\Program Files\desktop.ini
2000-12-18 10:29:12 21,952 ---h--w C:\Program Files\folder.htt
2005-08-02 20:46:54 187,904 --sha-r C:\WINNT\Q2hhcmxlbmUgQ2hhbmRvbmlh\asappsrv.dll
2005-08-02 20:58:38 293,888 --sha-r C:\WINNT\Q2hhcmxlbmUgQ2hhbmRvbmlh\command.exe
2005-07-29 20:24:26 472 --sha-r C:\WINNT\Q2hhcmxlbmUgQ2hhbmRvbmlh\kZ11wAU5vAo0kZ11vAlSvA51.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
03/02/01 03:02p 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
05/31/05 01:04a 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
11/10/05 01:22p 184423 --a------ C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
07/15/07 07:05p 2403392 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p C:\WINNT\system32\mobsync.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [07/30/02 02:35p]
"ATIModeChange"="Ati2mdxx.exe" [09/04/01 01:24p C:\WINNT\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [11/21/01 12:26p C:\WINNT\system32\atiptaxx.exe]
"PCTVOICE"="pctspk.exe" [10/11/02 12:37a C:\WINNT\system32\pctspk.exe]
"Zone Labs Client"="C:\Program Files\Zone Labs\Integrity Client\iclient.exe" [04/21/04 04:40a]
"Tweak UI"="TWEAKUI.CPL" [11/30/00 07:19a C:\WINNT\system32\TWEAKUI.CPL]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/02/05 09:12a]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/05 01:03p]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [01/20/06 02:14p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [07/15/07 07:05p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 18:09:25
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 07/29/2007 18:09:58
C:\ComboFix-quarantined-files.txt ... 07/29/07 06:09p
C:\ComboFix2.txt ... 07/12/07 05:20p

--- E O F ---

How does it look?

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 30 July 2007 - 02:13 PM

Hi there, things are looking pretty good to me.
You're using an outdated version of Java (the latest one is Java Runtime Environment (JRE) 6u2), and these can be exploited by malware, so you need to update it as soon as possible. Please update and remove the older versions from your computer. Do the following:
Go to Start | Control Panel | Add/Remove Programs
Search in the list for all previous installed versions of Java (J2SE Runtime Environment ...)
Select it and click Remove.
Then download and install the newest version from here:
Java Runtime Environment (JRE) 6u2

Delete the following folder, booting into Safe Mode if necessary:

C:\WINNT\Q2hhcmxlbmUgQ2hhbmRvbmlh

Then let me know how things seem to be running for you at the moment.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 madprof

madprof
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 30 July 2007 - 09:45 PM

So far, so good. I followed all your instructions, and it's still up and running! I'll try to do a whole day logged on to see if there are any more popup problems, but I do hope they are now over. Thanks so much.

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 31 July 2007 - 03:17 AM

That's a good idea; let me know in a while how it is running.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 madprof

madprof
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 02 August 2007 - 02:30 PM

The laptop is working fine. No more popups!!! Thank you so much for your help.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 02 August 2007 - 03:13 PM

That's great to hear! Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 15 August 2007 - 03:04 AM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users