Jerry Posted March 31, 2008 ID:15414 Share Posted March 31, 2008 I have some nasty spyware/viruses/malware on my system that I can't seem to get rid of. Here's my HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:54:45 PM, on 3/30/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Documents and Settings\All Users\Application Data\wnulcbsb\ixevorcv.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\PackethSvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis2\HijackThis.exeO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: qvdntlmw - {398DC223-F4F8-4EE9-9025-0BF67AB47276} - C:\WINDOWS\qvdntlmw.dllO4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKLM\..\Policies\Explorer\Run: [Q1fHUBETVM] C:\Documents and Settings\All Users\Application Data\wnulcbsb\ixevorcv.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - AppInit_DLLs: cru629.datO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: pmnljhg - pmnljhg.dll (file missing)O21 - SSODL: zip - {dd5a09c8-f81e-4423-8698-df02d3857e0a} - C:\WINDOWS\Installer\{dd5a09c8-f81e-4423-8698-df02d3857e0a}\zip.dll (file missing)O21 - SSODL: KbdSrv - {b7c90f04-388d-40f8-a2db-75da8bf0285e} - C:\WINDOWS\Installer\{b7c90f04-388d-40f8-a2db-75da8bf0285e}\KbdSrv.dllO21 - SSODL: KernelBoot - {d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61} - C:\WINDOWS\Installer\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61}\KernelBoot.dllO21 - SSODL: dwnrpofk - {39F29588-73A7-44D8-9DA4-CFB624021408} - (no file)O21 - SSODL: vbgtorfd - {E5BD9EBD-93FE-4B92-A904-6A2D82CA1904} - C:\WINDOWS\vbgtorfd.dllO21 - SSODL: WinDrv - {3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613} - C:\WINDOWS\Installer\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613}\WinDrv.dllO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)O23 - Service: Intel NCS NetService (NetSvc) - Intel Link to post Share on other sites More sharing options...
JeanInMontana Posted March 31, 2008 ID:15435 Share Posted March 31, 2008 Hi Jerry and welcome to Malwarebytes. The HJT log has a formatting that is just too hard to read with broken lines. Make sure word wrap is off in your notepad when you post your next log please.Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Also please turn off TeaTimer in SBS&DOpen SB S&DClick on the Tools section and then Resident.You will see two items.1. Resident "SD helper" (Internet Explorer bad download blocker.) active2. Resident "Tea Timer" (Protection of over-all system settings.) active.Uncheck 2. Leave 1 checked always.You can enable Tea Timer again if you wish once all special fixes have been done.Please run a full scan of your main drive, usually C with MBAM making sure you check all items found for removal. Please post that log in your next reply.Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.I will analyze the logs and give you further instructions. Be sure to set your email to allow mail from Malwarebytes.org and your personal settings to send an email on reply to your topic. This will let you know when there has been an update to your topic and you can come and see what has been said. Be patient and persistent. These things can take time and many procedures. Link to post Share on other sites More sharing options...
Jerry Posted April 4, 2008 Author ID:15599 Share Posted April 4, 2008 Okay, it seemed to do the trick! Thanks!!!!!Here's the log:Malwarebytes' Anti-Malware 1.10Database version: 587Scan type: Full Scan (C:\|)Objects scanned: 101335Time elapsed: 33 minute(s), 12 second(s)Memory Processes Infected: 3Memory Modules Infected: 5Registry Keys Infected: 52Registry Values Infected: 9Registry Data Items Infected: 0Folders Infected: 7Files Infected: 56Memory Processes Infected:c:\documents and settings\all users\application data\wnulcbsb\ixevorcv.exe (Spyware.Agent) -> Unloaded process successfully.C:\WINDOWS\SYSTEM32\wlstoxmh.exe (Trojan.FakeAlert) -> Unloaded process successfully.C:\WINDOWS\SYSTEM32\wlstoxmh.exe (Trojan.FakeAlert) -> Unloaded process successfully.Memory Modules Infected:C:\WINDOWS\Installer\{b7c90f04-388d-40f8-a2db-75da8bf0285e}\KbdSrv.dll (Trojan.Alphabet) -> Unloaded module successfully.C:\WINDOWS\Installer\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61}\KernelBoot.dll (Trojan.Alphabet) -> Unloaded module successfully.C:\WINDOWS\Installer\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613}\WinDrv.dll (Trojan.Alphabet) -> Unloaded module successfully.C:\WINDOWS\qvdntlmw.dll (Trojan.FakeAlert) -> Unloaded module successfully.C:\WINDOWS\vbgtorfd.dll (Trojan.FakeAlert) -> Unloaded module successfully.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{b7c90f04-388d-40f8-a2db-75da8bf0285e} (Trojan.Alphabet) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61} (Trojan.Alphabet) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613} (Trojan.Alphabet) -> Delete on reboot.HKEY_CLASSES_ROOT\Interface\{fc6e3735-57b3-48b8-9002-54c155215632} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{4a9967ab-4c5c-4325-b8c9-4f2be9142c81} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{656c55cf-eb46-491c-aebe-892c716e61e8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{451cda78-04f5-4120-9d9e-f7f7a2113bf9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{4f9ac754-5629-414c-85fc-75e528a395ca} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{b0b1334b-8efd-4a7a-a2e6-368cab26846c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{6885cc6d-190c-444a-a9ff-d107e6816409} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\qvdntlmw.bdfn (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{398dc223-f4f8-4ee9-9025-0bf67ab47276} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\qvdntlmw.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{e8d4ea80-00d9-43be-a614-c0d5c3893b11} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{f757152c-fa01-4916-a3df-620d9ecee65b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{d32667aa-2db2-45ab-a801-6bb9cbb1b81a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{f38f89cf-b319-4cb5-81d7-4420ec5b3d1f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{b576fc38-a12b-4dfb-8b92-e4ba8b1d7014} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\egmulhxk.msdn_hlp (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.HKEY_CLASSES_ROOT\jokwmp.blkd (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\jokwmp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Classes\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Spruce (Adware.Spruce) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\egmulhxk.msdn_hlp (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Spruce (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spruce (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{47081497-8ca5-4311-9c7c-fcf3737e11ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{5d3b58e9-0daf-444a-912c-17b72d54ae6d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{51c814f7-e1b7-4cd5-8538-039e7e658e7a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{8db069e2-4e3e-4624-a58e-ca74c03c49a7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{e5bd9ebd-93fe-4b92-a904-6a2d82ca1904} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qvdntlmw.bdfn (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qvdntlmw.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Q1fHUBETVM (Spyware.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\KbdSrv (Trojan.Alphabet) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\KernelBoot (Trojan.Alphabet) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WinDrv (Trojan.Alphabet) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{398dc223-f4f8-4ee9-9025-0bf67ab47276} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Clicker) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vbgtorfd (Trojan.FakeAlert) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dwnrpofk (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\WINDOWS\Installer\{dd5a09c8-f81e-4423-8698-df02d3857e0a} (Trojan.Alphabet) -> Quarantined and deleted successfully.C:\WINDOWS\Installer\{b7c90f04-388d-40f8-a2db-75da8bf0285e} (Trojan.Alphabet) -> Delete on reboot.C:\WINDOWS\Installer\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61} (Trojan.Alphabet) -> Delete on reboot.C:\WINDOWS\Installer\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613} (Trojan.Alphabet) -> Delete on reboot.C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.C:\Documents and Settings\Jerry\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.Files Infected:c:\documents and settings\all users\application data\wnulcbsb\ixevorcv.exe (Spyware.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\Installer\{b7c90f04-388d-40f8-a2db-75da8bf0285e}\KbdSrv.dll (Trojan.Alphabet) -> Delete on reboot.C:\WINDOWS\Installer\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61}\KernelBoot.dll (Trojan.Alphabet) -> Delete on reboot.C:\WINDOWS\Installer\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613}\WinDrv.dll (Trojan.Alphabet) -> Delete on reboot.C:\WINDOWS\qvdntlmw.dll (Trojan.FakeAlert) -> Delete on reboot.C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\H4M1JYYS\ieupdater[1].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\H4M1JYYS\install[1] (Trojan.Downloader) -> Quarantined and deleted successfully.C:\QooBox\Quarantine\C\Program Files\Online Services\webyc89104.dll.vir (Adware.TTC) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002934.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002936.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002949.dll (Adware.TTC) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002950.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0003015.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005070.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005071.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005259.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005260.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005261.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005262.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005263.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005268.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005269.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005548.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005626.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005700.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005745.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005872.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005873.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\hinijazq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\hylwxcje.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\users32.dat (Adware.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\vyzcrcdo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\wjolozkf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\wlstoxmh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\rls3\vlt33p02.exe (Adware.RABCO) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\sn7\xopz89104.exe (Adware.TTC) -> Quarantined and deleted successfully.C:\WINDOWS\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\univrs32.dat (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\dwnrpofk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\kdftlboeakn.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\norlatmx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\vbgtorfd.dll (Trojan.FakeAlert) -> Delete on reboot. Link to post Share on other sites More sharing options...
JeanInMontana Posted April 4, 2008 ID:15605 Share Posted April 4, 2008 Please follow all of the instructions you were given. Your system is badly infected from the MBAM log, we need to look at a Panda scan and another HJT log. Link to post Share on other sites More sharing options...
Jerry Posted April 7, 2008 Author ID:15747 Share Posted April 7, 2008 Okay, here's the new HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:00:13 PM, on 4/5/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\PackethSvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\internet explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis2\HijackThis.exeO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - AppInit_DLLs: cru629.datO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: pmnljhg - pmnljhg.dll (file missing)O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm--End of file - 4247 bytesMBAM log:Malwarebytes' Anti-Malware 1.10Database version: 594Scan type: Full Scan (C:\|)Objects scanned: 104144Time elapsed: 37 minute(s), 26 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0006235.dll (Trojan.Zlob) -> Quarantined and deleted successfully.Panda scan:;***********************************************************************************************************************************************************************************ANALYSIS: 2008-04-06 21:38:37PROTECTIONS: 0MALWARE: 47SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00039204 adware/cws Adware No 0 Yes No c:\documents and settings\jerry\favorites\health00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@trafficmp[2].txt00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc56.txt00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.doubleclick.net/]00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc37.txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.atdmt.com/]00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc32.txt00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005271.exe00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Jerry\Desktop\SmitfraudFix\Process.exe00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@247realmedia[1].txt00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc39.txt00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@tribalfusion[1].txt00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc57.txt00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc41.txt00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Application Data\Mozilla\Firefox\Profiles\blotsrmd.default\cookies.txt[.com.com/]00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@com[1].txt00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc61.txt00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@yadro[1].txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc18.txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@ad.yieldmanager[2].txt00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc29.txt00168069 Cookie/Bilbo.counted TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@bilbo.counted[1].txt00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc54.txt00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc35.txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc25.txt00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@ads.pointroll[1].txt00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ads.pointroll.com/]00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@overture[2].txt00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@realmedia[1].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@questionmarket[2].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc50.txt00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc34.txt00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.go.com/]00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc53.txt00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.atwola.com/]00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@atwola[1].txt00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc33.txt00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ehg-dig.hitbox.com/]00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ehg-dig.hitbox.com/]00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc22.txt00502546 Application/MyWay HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005057.dll00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Jerry\Desktop\SmitfraudFix\restart.exe01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002964.EXE02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005270.exe02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Jerry\Desktop\SmitfraudFix\Reboot.exe02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002959.sys02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc24.txt02887531 Cookie/UltimateCleaner TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc59.txt02887531 Cookie/UltimateCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@ucleaner[2].txt02887532 Cookie/XPAntivirusPro TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@www.safenavweb[1].txt02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005593.sys02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005827.sys02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005828.SYS02907634 Adware/PurityScan Adware No 0 Yes No C:\QooBox\Quarantine\C\Documents and Settings\Jerry\Application Data\ASKS~1\сhkntfs.exe.vir02907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0006240.dll02907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\Documents and Settings\Jerry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.7031502907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\Documents and Settings\Jerry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.2869502907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\Documents and Settings\Jerry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.9966802907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0006239.dll02907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0006241.dll02908018 Cookie/WinReanimator TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@winreanimator[2].txt02908062 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002942.dll02908062 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\quivivfe.dll.vir02908063 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hyxfnpkc.dll.vir02908063 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002939.dll02908066 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002938.dll02908066 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002944.dll02908066 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hktvmhgm.dll.vir02908066 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sqleskec.dll.vir02908213 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002940.dll02908213 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002937.dll02908213 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dbvxlgna.dll.vir02908213 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lfrmqwnk.dll.vir02908215 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002941.dll02908215 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qdikpbgm.dll.vir02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005266.dll02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005265.dll02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005249.dll02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005267.dll02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005264.dll02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005618.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005635.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005636.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005658.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005659.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005724.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005725.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005733.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005734.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005608.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005592.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005619.exe02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005607.exe02909975 Cookie/CookingLuck TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@cookingluck[2].txt;===================================================================================================================================================================================SUSPECTSSent Location ;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description ;===================================================================================================================================================================================;=================================================================================================================================================================================== Link to post Share on other sites More sharing options...
JeanInMontana Posted April 7, 2008 ID:15768 Share Posted April 7, 2008 Hi Jerry. Few things here that are not good. 1. Never run tools like SmitFraud with out being asked and unless you know how they work and what to do with the results. Please post the log from that tool also . You will find it C:/ rapport.txt.2. The purpose of the HJT log is to see if items were removed after the scans. We want it posted last always. When did you run HJT?3. Panda and HJT show a root kit. This means your system has been totally compromised and any sensitive data is at risk or already in the hands of criminals. Bank, credit card info and any other. The only sure way to rid a system of a root kit is to reformat. Usually they can be removed but, there is always that chance it remains. Having said that you must decide your course of action. Reformat, or try to rid the system of the root kit. Link to post Share on other sites More sharing options...
Jerry Posted April 8, 2008 Author ID:15806 Share Posted April 8, 2008 rapport.txt:SmitFraudFix v2.256Scan done at 22:17:35.06, Fri 03/28/2008Run from C:\Documents and Settings\Jerry\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode Link to post Share on other sites More sharing options...
JeanInMontana Posted April 8, 2008 ID:15839 Share Posted April 8, 2008 (edited) OK Jerry I will give it my best shot to do that for you. If you have sensitive data be sure you notify the proper entities. Delete the SmitFraud tool and all files associated please. You have a rogue malware program on your system. Please download RogueRemover update it and run a scan for both options, and immunize. Run HJT again in scan only and put a check next to these items and click fix:O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exeO20 - AppInit_DLLs: cru629.datO20 - Winlogon Notify: pmnljhg - pmnljhg.dll (file missing)Now please get this tool:1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall. Edited April 8, 2008 by JeanInMontana add instructions Link to post Share on other sites More sharing options...
Jerry Posted April 9, 2008 Author ID:15878 Share Posted April 9, 2008 Okay, SmitfraudFix is deleted. RogueRemover only had one scan option and it found nothing. Here's the ComboFix log:ComboFix 08-04-08.7 - Jerry 2008-04-08 21:59:26.4 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -4:00]Running from: C:\Documents and Settings\Jerry\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\Jerry\Desktopblackbird.jpgC:\Documents and Settings\Jerry\DesktopEditorFKWP1.5.exeC:\Documents and Settings\Jerry\DesktopEditorFKWP2.0.exeC:\Documents and Settings\Jerry\Desktopfilemanagerclient.exeC:\Documents and Settings\Jerry\Desktopfkwp1.5.exeC:\Documents and Settings\Jerry\Desktopfkwp2.0.exeC:\Documents and Settings\Jerry\Desktopfwebd.exeC:\Documents and Settings\Jerry\DesktopFWebdEditor.exeC:\Documents and Settings\Jerry\DesktopTrojan.Win32.BlackBird.exeC:\WINDOWS\a.batC:\WINDOWS\base64.tmpC:\WINDOWS\FVProtect.exeC:\WINDOWS\system32akttzn.exeC:\WINDOWS\system32anticipator.dllC:\WINDOWS\system32awtoolb.dllC:\WINDOWS\system32bdn.comC:\WINDOWS\system32bsva-egihsg52.exeC:\WINDOWS\system32dpcproxy.exeC:\WINDOWS\system32emesx.dllC:\WINDOWS\system32h@tkeysh@@k.dllC:\WINDOWS\system32hoproxy.dllC:\WINDOWS\system32hxiwlgpm.datC:\WINDOWS\system32hxiwlgpm.exeC:\WINDOWS\system32medup012.dllC:\WINDOWS\system32medup020.dllC:\WINDOWS\system32msgp.exeC:\WINDOWS\system32msnbho.dllC:\WINDOWS\system32mssecu.exeC:\WINDOWS\system32msvchost.exeC:\WINDOWS\system32mtr2.exeC:\WINDOWS\system32mwin32.exeC:\WINDOWS\system32netode.exeC:\WINDOWS\system32newsd32.exeC:\WINDOWS\system32ps1.exeC:\WINDOWS\system32psof1.exeC:\WINDOWS\system32psoft1.exeC:\WINDOWS\system32regc64.dllC:\WINDOWS\system32regm64.dllC:\WINDOWS\system32Rundl1.exeC:\WINDOWS\system32sncntr.exeC:\WINDOWS\system32ssurf022.dllC:\WINDOWS\system32ssvchost.comC:\WINDOWS\system32ssvchost.exeC:\WINDOWS\system32sysreq.exeC:\WINDOWS\system32taack.datC:\WINDOWS\system32taack.exeC:\WINDOWS\system32temp#01.exeC:\WINDOWS\system32thun.dllC:\WINDOWS\system32thun32.dllC:\WINDOWS\system32VBIEWER.OCXC:\WINDOWS\system32vbsys2.dllC:\WINDOWS\system32vcatchpi.dllC:\WINDOWS\system32winlogonpc.exeC:\WINDOWS\system32winsystem.exeC:\WINDOWS\system32WINWGPX.EXEC:\WINDOWS\userconfig9x.dllC:\WINDOWS\winsystem.exeC:\WINDOWS\zip1.tmpC:\WINDOWS\zip2.tmpC:\WINDOWS\zip3.tmpC:\WINDOWS\zipped.tmp.((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 ))))))))))))))))))))))))))))))).2008-04-08 21:47 . 2008-04-08 21:47 <DIR> d-------- C:\Program Files\RogueRemover FREE2008-04-08 21:25 . 2008-04-08 21:25 <DIR> d-------- C:\WINDOWS\LastGood2008-04-05 22:51 . 2008-04-05 22:52 <DIR> d-------- C:\Program Files\Panda Security2008-04-03 16:44 . 2008-04-05 22:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-04-03 16:44 . 2008-04-03 16:44 <DIR> d-------- C:\Documents and Settings\Jerry\Application Data\Malwarebytes2008-04-03 16:44 . 2008-04-03 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-03-28 22:49 . 2008-03-28 22:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab2008-03-28 22:49 . 2008-03-28 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab2008-03-22 22:48 . 2008-04-03 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wnulcbsb2008-03-20 00:37 . 2008-03-20 00:37 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico2008-03-19 22:06 . 2008-03-20 00:34 1,544,253 ---hs---- C:\WINDOWS\SYSTEM32\oqnkdamp.ini2008-03-19 21:58 . 2008-04-03 17:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\sn72008-03-19 21:58 . 2008-03-20 00:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\rom52008-03-19 21:58 . 2008-04-03 17:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\rls32008-03-19 21:58 . 2008-03-27 01:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\drv22008-03-19 21:39 . 2006-10-04 10:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\sysmain.sdb2008-03-19 21:38 . 2008-03-19 21:38 <DIR> d-------- C:\Program Files\Windows Media Connect 22008-03-19 21:35 . 2008-03-19 21:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles2008-03-19 21:35 . 2008-03-19 21:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF2008-03-17 23:50 . 2008-03-29 16:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn2008-03-17 23:50 . 2008-03-17 23:50 1,409 --a------ C:\WINDOWS\QTFont.for2008-03-10 20:30 . 2008-03-10 20:30 <DIR> d-------- C:\Program Files\CWGET2008-03-10 20:30 . 2008-03-14 16:37 193 --a------ C:\WINDOWS\PCWGXDRV.INI.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-03-31 01:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee2008-03-30 00:55 --------- d-----w C:\Program Files\Enigma Software Group2008-03-29 05:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy2008-03-29 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-03-29 02:32 --------- d-----w C:\Program Files\Trend Micro2008-03-25 04:10 --------- d-----w C:\Program Files\SUPERAntiSpyware2008-03-20 05:06 --------- d-----w C:\Program Files\Java2008-03-14 04:34 --------- d-----w C:\Documents and Settings\Jerry\Application Data\LimeWire2008-03-14 04:32 --------- d-----w C:\Program Files\Soulseek2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll2008-01-05 04:15 10 ----a-w C:\Program Files\.autoreg2007-10-16 02:56 1,664 ----a-w C:\Documents and Settings\Jerry\Application Data\ViewerApp.dat2007-05-15 04:24 25,990,392 ----a-w C:\Program Files\FLV PlayerRCSetup.exe.((((((((((((((((((((((((((((( snapshot_2008-03-23_23.20.44.20 ))))))))))))))))))))))))))))))))))))))))).+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll- 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE+ 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe+ 2000-08-31 12:00:00 80,412 ----a-w C:\WINDOWS\grep.exe+ 2000-08-31 12:00:00 98,816 ----a-w C:\WINDOWS\sed.exe+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe- 2005-05-27 23:49:35 16,384 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat+ 2008-03-27 02:41:16 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat- 2005-05-27 23:49:35 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat+ 2008-03-27 02:41:16 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat- 2005-05-27 23:49:35 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2008-03-27 02:41:16 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2004-08-04 10:00:00 4,224 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll+ 2000-08-31 12:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe+ 2000-08-31 12:00:00 68,096 ----a-w C:\WINDOWS\zip.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360][HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]Source= file:///C:\WINDOWS\privacy_danger\index.htmFriendlyName= Privacy Protection[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CompuServe 2000 Tray Icon.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CompuServe 2000 Tray Icon.lnkbackup=C:\WINDOWS\pss\CompuServe 2000 Tray Icon.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnkbackup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnkbackup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\883b4cfe]C:\WINDOWS\system32\qdikpbgm.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM95\aim.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]C:\Program Files\AIM6\aim6.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]C:\Program Files\antiviirus.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8b087f62]C:\WINDOWS\system32\hyxfnpkc.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]C:\Program Files\Common Files\Symantec Shared\ccApp.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Crmfqr]C:\Documents and Settings\Jerry\Application Data\?asks\?hkntfs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]--a------ 2004-12-06 02:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]--------- 2004-09-03 04:58 65536 C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]--a------ 2005-09-20 09:32 77824 C:\WINDOWS\system32\hkcmd.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]--a------ 2005-09-20 09:36 114688 C:\WINDOWS\system32\igfxpers.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]--a------ 2005-09-20 09:35 94208 C:\WINDOWS\system32\igfxtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernel]C:\Program Files\kernel\kernel.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]C:\Program Files\McAfee.com\Agent\mcagent.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]--a------ 2006-01-17 13:03 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]--a------ 2006-01-17 13:03 135168 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ouwovetu]C:\WINDOWS\system32\cdkrkxcj.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ozcorujz]C:\WINDOWS\system32\tgrabupy.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]--a------ 2005-10-28 14:08 335872 C:\Program Files\Picasa2\PicasaMediaDetector.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]--a------ 2005-05-19 03:37 98304 C:\Program Files\QuickTime\qttask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]--a------ 2007-03-30 22:26 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]C:\DOCUME~1\Jerry\APPLIC~1\SSTEM~1\dllhost.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]C:\Documents and Settings\Jerry\Application Data\Microsoft\Windows\rayiou.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]--a------ 2007-06-21 15:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]--a------ 2007-03-14 12:16 100048 C:\PROGRA~1\SYMNET~1\SNDMon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]C:\WINDOWS\winshow.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]C:\Documents and Settings\Jerry\Application Data\WinTouch\WinTouch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yby]C:\Documents and Settings\Jerry\Application Data\?icrosoft\?ttrib.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]--a------ 2007-03-28 18:10 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"SPBBCSvc"=2 (0x2)"SymWSC"=2 (0x2)"SBService"=2 (0x2)"SAVScan"=3 (0x3)"ISSVC"=2 (0x2)"ccSetMgr"=2 (0x2)"ccPwdSvc"=3 (0x3)"ccProxy"=2 (0x2)"ccEvtMgr"=2 (0x2)"SNDSrvc"=3 (0x3)"Automatic LiveUpdate Scheduler"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Soulseek\\slsk.exe"=R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\system32\PackethSvc.exe [2001-08-09 16:46]S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys [2001-04-27 04:36]S3 SNDP610;Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\sndp610.sys [2005-10-11 15:19]S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 06:00][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]\Shell\AutoRun\command - E:\Autorun.exe.**************************************************************************catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-08 22:04:16Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2008-04-08 22:06:06ComboFix-quarantined-files.txt 2008-04-09 02:05:46ComboFix2.txt 2008-03-24 03:21:06ComboFix3.txt 2008-03-22 03:33:35ComboFix4.txt 2008-01-08 05:08:42Pre-Run: 31,075,479,552 bytes freePost-Run: 31,063,887,872 bytes free.2008-03-23 04:27:31 --- E O F --- New HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:15:55 PM, on 4/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\PackethSvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\internet explorer\iexplore.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis2\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm--End of file - 4546 bytesY'know it kills me how people like to use their supeiror intellect to do such horrible things to people! I'm just glad there's good people like you out there too! Thanks again! Link to post Share on other sites More sharing options...
JeanInMontana Posted April 9, 2008 ID:15898 Share Posted April 9, 2008 Hi Jerry. Yes, I agree if those working to fill the world with malware put that brain to work on something like AIDS or Cancer it would be nice. It's all about greed though.OK, still work to do.Please upload this file C:\WINDOWS\privacy_danger\index.htm to here . This will ensure it gets added to the data base for future removals. Now run HJT again in scan only and put a check next to O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm then click fix. Reboot and let's try SmitFraud again.Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Post the log from SmitFraud and a new HJT please. Tell me how things are running also. Link to post Share on other sites More sharing options...
Jerry Posted April 10, 2008 Author ID:15935 Share Posted April 10, 2008 I did not find the "privacy danger" folder in the WINDOWS directory, but HJT found it and I cleaned it then rebooted. I downloaded & ran SmitfraudFix. I'm now rebooting into safe mode... Link to post Share on other sites More sharing options...
Jerry Posted April 10, 2008 Author ID:15936 Share Posted April 10, 2008 (edited) Okay, done. Here's HJT:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:33:32 PM, on 4/9/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\PackethSvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\internet explorer\iexplore.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Trend Micro\HijackThis2\HijackThis.exeO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)O23 - Service: Intel NCS NetService (NetSvc) - Intel Edited April 10, 2008 by JeanInMontana Remove Hosts file junk Link to post Share on other sites More sharing options...
Jerry Posted April 10, 2008 Author ID:15939 Share Posted April 10, 2008 (edited) And finally.... rapport.txt Part 4: Edited April 10, 2008 by JeanInMontana Remove Hosts file junk Link to post Share on other sites More sharing options...
JeanInMontana Posted April 10, 2008 ID:15971 Share Posted April 10, 2008 Nothing in the HJT log. Did you scan with it before or after the SF? HJT log is always last.Let's run one more tool just to be sure. I don't like leaving anything.Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow">SDFix.exe and save it to your desktop. Double click SDFix.exe and choose Install to extract it to itsown folder on the Desktop. Please then reboot your computer in SafeMode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, the Advanced Options Menu should appear; * Select the first option, to run Windows in Safe Mode, then press Enter. * Choose your usual account. * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. * Finally copy and paste the contents of the results file Report.txt with a new HijackThis logReboot your system in Normal Mode. Then post the SDFix log and a new HJT log please. Link to post Share on other sites More sharing options...
Jerry Posted April 12, 2008 Author ID:16032 Share Posted April 12, 2008 Okay here's Report.txt:SDFix: Version 1.169 Run by Jerry on Fri 04/11/2008 at 09:57 PMMicrosoft Windows XP [Version 5.1.2600]Running From: C:\SDFixChecking Services :Restoring Windows Registry ValuesRestoring Windows Default Hosts FileRebootingChecking Files : Trojan Files Found:C:\PROGRA~1\MESSEN~1\LAWUG - DeletedC:\PROGRA~1\MESSEN~1\LAWUG386 - DeletedC:\Program Files\.autoreg - DeletedC:\WINDOWS\server.dll - DeletedRemoving Temp FilesADS Check : Final Check :catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-11 22:02:17Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services & system hive ...scanning hidden registry entries ...scanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 0Remaining Services :Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger""C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger""C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]Remaining Files :File Backups: - C:\SDFix\backups\backups.zipFiles with Hidden Attributes :Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"Thu 20 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"Thu 20 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"Mon 22 May 2006 26,624 ...H. --- "C:\Games\My Documents\~WRL0004.tmp"Thu 9 Aug 2001 102,467 A..H. --- "C:\Program Files\CompuServe 2000\csphx.exe"Thu 9 Aug 2001 36,935 A..H. --- "C:\Program Files\CompuServe 2000\cstray.exe"Thu 9 Aug 2001 64,512 A..H. --- "C:\Program Files\CompuServe 2000\packethsvc.exe"Thu 9 Aug 2001 40,960 A..H. --- "C:\Program Files\CompuServe 2000\RBM.exe"Thu 9 Aug 2001 172,095 A..H. --- "C:\Program Files\CompuServe 2000\wcs2000.exe"Thu 7 Nov 2002 49,232 A..H. --- "C:\Program Files\CompuServe 7.0\csphx.exe"Mon 4 Mar 2002 32,840 A..H. --- "C:\Program Files\CompuServe 7.0\cstray.exe"Mon 4 Mar 2002 40,960 A..H. --- "C:\Program Files\CompuServe 7.0\RBM.exe"Mon 4 Mar 2002 180,288 A..H. --- "C:\Program Files\CompuServe 7.0\wcs2000.exe"Wed 15 Jun 2005 141,312 ..SHR --- "C:\Program Files\PhoTags Express\Setup.exe"Wed 9 Mar 2005 39,936 A.SHR --- "C:\Program Files\PhoTags Express\_Setupx.dll"Fri 11 Nov 2005 4,126,240 ...H. --- "C:\Program Files\Picasa2\setup.exe"Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"Thu 9 Aug 2001 64,512 A..H. --- "C:\WINDOWS\SYSTEM32\PackethSvc.exe"Tue 27 Nov 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"Thu 9 Aug 2001 172,032 A..H. --- "C:\Program Files\CompuServe 2000\COMIT\cswitch.exe"Mon 4 Mar 2002 77,894 A..H. --- "C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe"Wed 19 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"Sun 10 Jul 2005 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\OffD.tmp"Wed 12 Dec 2001 102,400 A..H. --- "C:\Program Files\Common Files\csshare\shell\us\shellext.dll"Finished!...and HJT:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:11:58 PM, on 4/11/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\PackethSvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\internet explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis2\HijackThis.exeO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)O23 - Service: Intel NCS NetService (NetSvc) - Intel Link to post Share on other sites More sharing options...
JeanInMontana Posted April 12, 2008 ID:16049 Share Posted April 12, 2008 Well, it looks like running SDFix was a good call. How are you running now? You look squeaky clean.Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsThe windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature. Link to post Share on other sites More sharing options...
Jerry Posted April 13, 2008 Author ID:16090 Share Posted April 13, 2008 Thanks!!! You have no idea how much I appreciate this! I'm gonna install those scanners and that firewall right now!!! Link to post Share on other sites More sharing options...
JeanInMontana Posted April 13, 2008 ID:16111 Share Posted April 13, 2008 Good plan, and be sure to keep them updated along with your Windows, Java, Flash and Adobe programs . Since this issue is resolved I will close the topic to prevent others from posting into it.The fixes and procedures in this topic are for this machine only. Do not apply them to your machine even if you thing you are having the same problem. Read the instructions at the top of this page and start your own topic. Someone will be happy to help you. Link to post Share on other sites More sharing options...
Recommended Posts