WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Ie Opens W/out Request

Started by Cigar , May 02 2007 09:23 PM

This topic is locked

11 replies to this topic

#1 Cigar

New Member

New Member
7 posts

Posted 02 May 2007 - 09:23 PM

I have been using Firefox since last October or so. But just within the last couple of days, Internet Explorer will open on it's own and direct itself to a site that is usually sales related. ex. aaalue.com I cannot find what that site is about. But this will open seconds apart. Below is the HJT startuplist and process log.

Logfile of HijackThis v1.99.1
Scan saved at 8:53:25 PM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\pasystem\pasystem.exe
C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe
C:\WINDOWS\svchost.exe
C:\Documents and Settings\All Users\Documents\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\DOCUME~1\ALLUSE~1\DOCUME~1\Office10\OUTLOOK.EXE
C:\Documents and Settings\All Users\Documents\Office10\WINWORD.EXE
C:\Documents and Settings\PSP\My Documents\Treo My Documents\WCESMgr.exe
C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\documents and settings\all users\documents\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PSP\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX500 on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P38 "Auto EPSON Stylus Photo RX500 on ANTEC" /O16 "\\ANTEC\Printer3" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eTrustPPAP] "C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "c:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "c:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - HKCU\..\Run: [SpriteService] "C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe"
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Global Startup: Acrobat Assistant.lnk = Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\DOCUME~1\ALLUSE~1\DOCUME~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

____________________________________________________________________________________________________________________________________

StartupList report, 5/2/2007, 10:01:27 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\pasystem\pasystem.exe
C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe
C:\WINDOWS\svchost.exe
C:\Documents and Settings\All Users\Documents\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\DOCUME~1\ALLUSE~1\DOCUME~1\Office10\OUTLOOK.EXE
C:\Documents and Settings\All Users\Documents\Office10\WINWORD.EXE
C:\Documents and Settings\PSP\My Documents\Treo My Documents\WCESMgr.exe
C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = Distillr\AcroTray.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Bluetooth Manager.lnk = ?
Digital Line Detect.lnk = ?
InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Microsoft Office.lnk = Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Program Files\Apoint\Apoint.exe
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
(Default) =
IntelWireless = C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
Dell QuickSet = C:\Program Files\Dell\QuickSet\quickset.exe
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
Adobe Photo Downloader = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
EPSON Stylus Photo RX500 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
Auto EPSON Stylus Photo RX500 on ANTEC = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P38 "Auto EPSON Stylus Photo RX500 on ANTEC" /O16 "\\ANTEC\Printer3" /M "Stylus Photo RX500"
DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
eTrustPPAP = "C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe"
QOELOADER = "c:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
Zone Labs Client = "c:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe"
SSBkgdUpdate = "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
PaperPort PTD = C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
IndexSearch = C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
BrMfcWnd = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
ControlCenter3 = C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe"
IESet = IExplorer.dll .dbt

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

IESet = IExplorer.dll .dbt

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
PhotoShow Deluxe Media Manager = C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
PaSystem = "C:\Program Files\pasystem\pasystem.exe"
SpriteService = "C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe"
H/PC Connection Agent = "C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe"
xrunwin = C:\WINDOWS\svchost.exe
IESet = IExplorer.dll .dbt

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = NOTEDAD.EXE %1

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\perfc000.dat

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

Web Assistant - C:\Program Files\psquery\psquery.dll - {04DCB78C-AB45-83AD-A86A-6DFB90277939}
(no name) - c:\documents and settings\all users\documents\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\DOCUME~1\PSP\MYDOCU~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
PPv5Scan_Daily as PSP at 10 00 PM.job
PPv5Scan_Daily as PSP at 9 17 AM.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft....k/?linkid=39204

[MiniBugTransporterX Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll
CODEBASE = http://wdownload.wea...Transporter.cab?

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\system32\wshbth.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\sysghon.exe

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
contrabandists: C:\WINDOWS\system32\dpfwu.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

{383AC32E-063C-1033-1002-051114200001} = "C:\Program Files\Common Files\{383AC32E-063C-1033-1002-051114200001}\Update.exe" te-110-12-0000132

--------------------------------------------------

End of report, 12,461 bytes
Report generated in 0.156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Advertisements

Register to Remove

#2 bob4

MalwareTeam Emeritus

Authentic Member
2,205 posts

Posted 03 May 2007 - 05:18 AM

I'm Bob4, I'll be glad to help you with your computer problems.

Please observe these rules while we work:

Perform all actions in the order given.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Stick with it till you're given the all clear.
REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.

If you can do these things, everything should go smoothly.

Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

It may be helpful to you to print out or take a copy of any instructions given, or save them as a txt document on your desktop as sometimes it is necessary to go offline and you will lose access to them.

c:/windows/svchost.exe Not to be confused with c:/system32/svchost.exe

It looks like you have been infected by a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:

Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Should you decide to clean this machine start by doing the following.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

____________________________________________________

Download SmitfraudFix (by S!Ri) to your Desktop.
Smitfraud by S!ri

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with any others I have asked for in your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

IMPORTANT: Do NOT run any other options until you are asked to do so!

______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab <http://wdownload.wea...ansporter.cab>?

O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)

In your next reply I would like to see:

A new HJT log
The report from S&D fix
The report from Smitfraud

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#3 Cigar

New Member

New Member
7 posts

Posted 03 May 2007 - 08:25 PM

Bob4, Here is the results of the my work this morning.

SDFix: Version 1.81

Run by PSP - Thu 05/03/2007 - 11:24:26.90

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core

ImagePath:
system32\drivers\core.sys

core - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

___________________________________________________________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 8:17:16 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe
C:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe
C:\WINDOWS\NOTEDAD.EXE
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\pasystem\pasystem.exe
C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe
C:\Documents and Settings\All Users\Documents\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\rapimgr.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\documents and settings\all users\documents\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PSP\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX500 on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P38 "Auto EPSON Stylus Photo RX500 on ANTEC" /O16 "\\ANTEC\Printer3" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eTrustPPAP] "C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "c:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "c:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - HKCU\..\Run: [SpriteService] "C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe"
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Global Startup: Acrobat Assistant.lnk = Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\DOCUME~1\ALLUSE~1\DOCUME~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC526106-6568-430D-AF4D-CA242E23CCF2}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C98A1A-231B-440F-96E3-9B8AE343C12D}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7C138B6-0E31-47D6-B621-DB3947C11B51}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer = 194.54.90.226
O17 - HKLM\System\CS2\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer = 194.54.90.226
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

#4 Cigar

New Member

New Member
7 posts

Posted 03 May 2007 - 09:10 PM

I ran them again. Still had it going on. SmitFraudFix v2.174 Scan done at 22:00:20.01, Thu 05/03/2007 Run from C:\Documents and Settings\PSP\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\rundll32.exe C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe C:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe C:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe C:\Program Files\QuickTime\qttask.exe C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\pasystem\pasystem.exe C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe C:\Documents and Settings\All Users\Documents\Distillr\AcroTray.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Brother\ControlCenter3\brccMCtl.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Brother\Brmfcmon\BrMfimon.exe C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\rapimgr.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\ld???.tmp FOUND ! C:\WINDOWS\system32\ld????.tmp FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PSP »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PSP\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PSP\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\WINDOWS\\system32\\perfc000.dat" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport DNS Server Search Order: 194.54.90.226 Description: Bluetooth Personal Area Network from TOSHIBA - Packet Scheduler Miniport DNS Server Search Order: 194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CCS\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{EC526106-6568-430D-AF4D-CA242E23CCF2}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{F4C98A1A-231B-440F-96E3-9B8AE343C12D}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{F7C138B6-0E31-47D6-B621-DB3947C11B51}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS1\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{EC526106-6568-430D-AF4D-CA242E23CCF2}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{F4C98A1A-231B-440F-96E3-9B8AE343C12D}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{F7C138B6-0E31-47D6-B621-DB3947C11B51}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS2\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{EC526106-6568-430D-AF4D-CA242E23CCF2}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{F4C98A1A-231B-440F-96E3-9B8AE343C12D}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{F7C138B6-0E31-47D6-B621-DB3947C11B51}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ SDFix: Version 1.81 Run by PSP - Thu 05/03/2007 - 21:44:46.54 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: core core ImagePath: system32\drivers\core.sys core - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\DOCUME~1\PSP\LOCALS~1\Temp\svchost.exe - Deleted C:\U.exe - Deleted C:\WINDOWS\odbc.INI - Deleted C:\WINDOWS\svchost.exe - Deleted C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted C:\WINDOWS\system32\drivers\core.sys - Deleted C:\WINDOWS\system32\explorer.exe - Deleted C:\WINDOWS\system32\explorer.exe - Deleted Removing Temp Files ADS Check: Checking if ADS is attached to system32 Folder C:\WINDOWS\system32 No streams found. Checking if ADS is attached to svchost.exe C:\WINDOWS\system32\svchost.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Enabled:SAgent4" "C:\\Documents and Settings\\PSP\\My Documents\\My Music\\iTunes\\iTunes.exe"="C:\\Documents and Settings\\PSP\\My Documents\\My Music\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\rapimgr.exe"="C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\wcescomm.exe"="C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\WCESMgr.exe"="C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "C:\\WINDOWS\\svchost.exe"="C:\\WINDOWS\\svchost.exe:*:Enabled:svchost" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\rapimgr.exe"="C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\wcescomm.exe"="C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\WCESMgr.exe"="C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Checking For Files with Hidden Attributes: C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe C:\Program Files\Nero\data\Nero PhotoShow Express.exe C:\Program Files\Common Files\X10\Common\x10prod.sys C:\Documents and Settings\PSP\Local Settings\Temp\TCD49.tmp\~$05-2007 multi-year calendar.dot C:\Documents and Settings\PSP\My Documents\My Pictures\Family\Agape 2006\SIV195.tmp C:\Documents and Settings\PSP\My Documents\My Pictures\Family\Alexandra\Alex's 12th 2-04\SIV29.tmp C:\WINDOWS\system32\config\default.tmp.LOG C:\WINDOWS\system32\config\software.tmp.LOG C:\WINDOWS\system32\config\system.tmp.LOG Finished Thanks for your help Bob4

#5 bob4

MalwareTeam Emeritus

Authentic Member
2,205 posts

Posted 04 May 2007 - 04:58 AM

____________________________
Please download the Killbox by Option^Explicit

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\perfc000.dat

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab <http://wdownload.wea...ansporter.cab>?
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)

______________________________

Download and install CCleaner from here

If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
Reset Temp File Removal for Regular Use.
Click on the Options block on the left. Select the Advanced button.
Check "Only delete files in Windows Temp folders older than 48 hours".

Now run the program and click on Run Cleaner
( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).

_______________________________________________
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
___________________________________
Download AVG Anti-Spyware.
Install AVG Anti-Spyware.
Launch AVG by double-clicking on the icon.
The program will now open to the main screen.
You will need to update AVG to the latest definition files.
At the top of the main screen click Update.
Then in the Manual Update section, click on Start Update.

[*]The update will start and a progress bar will show the updates being installed.
[*]When updates are completed, close AVG.
[/list]If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates
Do not use it yet.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
___________________________

AVG
Close all open windows/programs/folders. Have nothing else open while AVG performs its scan!
Click on scanner
Click on Settings
Under How to act
Choose quarantine

Under Reports check automatically create report after every scan.
Now back to the scan tab andClick on Complete system scan

Let the program scan the machine .
When finished click apply all actions.

Post the report in your next reply.
Exit AVG.
__________________________

1. Download Combo fix from one of these locations.
http://www.techsuppo...Bs/ComboFix.exe
http://download.blee...Bs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post:

c:\rapport.txt
AVG log
A new HijackThis log
The report from combo fix.

Your may need several replies to post the requested logs, otherwise they might get cut off.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#6 Cigar

New Member

New Member
7 posts

Posted 06 May 2007 - 12:46 AM

Bob4, Here are the results. Pretty nasty. They will be in 2 posts. SmitFraudFix v2.174 Scan done at 23:46:59.68, Sat 05/05/2007 Run from C:\Documents and Settings\PSP\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\ld???.tmp Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CCS\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CCS\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{EC526106-6568-430D-AF4D-CA242E23CCF2}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{F4C98A1A-231B-440F-96E3-9B8AE343C12D}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\..\{F7C138B6-0E31-47D6-B621-DB3947C11B51}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS1\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS1\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{EC526106-6568-430D-AF4D-CA242E23CCF2}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{F4C98A1A-231B-440F-96E3-9B8AE343C12D}: NameServer=194.54.90.226 HKLM\SYSTEM\CS1\Services\Tcpip\..\{F7C138B6-0E31-47D6-B621-DB3947C11B51}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS2\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS2\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{EC526106-6568-430D-AF4D-CA242E23CCF2}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{F4C98A1A-231B-440F-96E3-9B8AE343C12D}: NameServer=194.54.90.226 HKLM\SYSTEM\CS2\Services\Tcpip\..\{F7C138B6-0E31-47D6-B621-DB3947C11B51}: NameServer=194.54.90.226 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 1:13:15 AM 5/6/2007 + Scan result: C:\Program Files\Common Files\{383AC32E-063C-1033-1002-051114200001}\UnInstall.exe -> Adware.888Bar : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP167\A0048024.dll -> Adware.888Bar : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP167\A0048025.dll -> Adware.888Bar : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP167\A0048026.dll -> Adware.888Bar : Cleaned with backup (quarantined). C:\Program Files\psquery\psquery.sys -> Adware.Agent : Cleaned with backup (quarantined). C:\Program Files\psquery\psquery.exe -> Adware.CASClient : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP167\A0048028.dll -> Adware.CommAd : Cleaned with backup (quarantined). HKU\S-1-5-21-1211087018-2521367776-381441324-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44D22A64-2399-4EDF-8B32-F2C729C1E8A7} -> Adware.HQVideoCodec : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP130\A0044234.dll -> Adware.PurityScan : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP130\A0044293.exe -> Adware.PurityScan : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP136\A0044638.exe -> Adware.PurityScan : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP167\A0048020.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP167\A0048027.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP167\A0048021.dll -> Adware.TargetServer : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP131\A0044318.exe -> Adware.WebHancer : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP132\A0044328.dll -> Adware.WebHancer : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP132\A0044329.dll -> Adware.WebHancer : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP148\A0046311.dll -> Adware.WebHancer : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP148\A0046312.exe -> Adware.WebHancer : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP130\A0044239.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined). C:\SDFix\backups_old1\U.exe -> Downloader.Tiny.fy : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP170\A0050200.exe -> Downloader.Tiny.fy : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP167\A0048023.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined). C:\Program Files\Common Files\kwkf\kwkfd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP167\A0048022.exe -> Downloader.TSUpdate.p : Cleaned with backup (quarantined). C:\SDFix\backups_old1\core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP170\A0050204.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP130\A0044233.exe -> Trojan.PurityAd : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP159\A0047588.exe -> Trojan.Rond : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP130\A0044235.exe -> Trojan.Small : Cleaned with backup (quarantined). C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP136\A0044633.exe -> Trojan.Small : Cleaned with backup (quarantined). C:\WINDOWS\UFNQIA\oIhkKE.vbs -> Trojan.Small : Cleaned with backup (quarantined). C:\WINDOWS\system32\wnsapiit.exe -> Trojan.Small : Cleaned with backup (quarantined). ::Report end

#7 Cigar

New Member

New Member
7 posts

Posted 06 May 2007 - 12:47 AM

Bob4, Here is part 2.

Logfile of HijackThis v1.99.1
Scan saved at 1:40:16 AM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe
C:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\PSP\My Documents\Malware Software\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\pasystem\pasystem.exe
C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe
C:\Documents and Settings\PSP\My Documents\Malware Software\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\All Users\Documents\Distillr\AcroTray.exe
C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\rapimgr.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\documents and settings\all users\documents\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PSP\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX500 on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P38 "Auto EPSON Stylus Photo RX500 on ANTEC" /O16 "\\ANTEC\Printer3" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eTrustPPAP] "C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "c:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "c:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\PSP\My Documents\Malware Software\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - HKCU\..\Run: [SpriteService] "C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe"
O4 - Global Startup: Acrobat Assistant.lnk = Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\DOCUME~1\ALLUSE~1\DOCUME~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC526106-6568-430D-AF4D-CA242E23CCF2}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C98A1A-231B-440F-96E3-9B8AE343C12D}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7C138B6-0E31-47D6-B621-DB3947C11B51}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer = 194.54.90.226
O17 - HKLM\System\CS2\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer = 194.54.90.226
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\PSP\My Documents\Malware Software\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

"PSP" - 07-05-06 1:29:47 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\PSP\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\IExplorer.dll .dbt
C:\WINDOWS\notedad.exe
C:\Program Files\Common Files\{383AC~1
C:\Program Files\Common Files\{383AC~2
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\PSP
C:\qoobox\purity\C\DOCUME~1\PSP\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\PSP\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\PSP\APPLIC~1\FNTS~1
C:\qoobox\purity\C\DOCUME~1\PSP\MYDOCU~1\YMBOLS~1
C:\qoobox\purity\C\Program Files\CROSOF~1.NET
C:\qoobox\purity\C\Program Files\YMBOLS~1
C:\qoobox\purity\C\WINDOWS\YMBOLS~1
C:\qoobox\purity\C\WINDOWS\system32\MANTEC~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))

2007-05-05 23:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-05 23:17 <DIR> d-------- C:\!KillBox
2007-05-05 22:26 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-03 21:28 5,956 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-03 11:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-03 11:28 380,416 --a------ C:\WINDOWS\system32\rstrui.exe
2007-04-30 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-27 16:15 32,768 --a------ C:\WINDOWS\system32\mp43.exe
2007-04-17 07:26 <DIR> d-------- C:\Program Files\pasystem
2007-04-06 22:23 <DIR> d-------- C:\Program Files\AdSponsorCL

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-06 01:13 -------- d-------- C:\Program Files\psquery
2007-04-23 21:34 44664 --a------ C:\DOCUME~1\PSP\APPLIC~1\gdipfontcachev1.dat
2007-03-28 23:25 -------- d-------- C:\Program Files\ipod
2007-03-20 00:34 122 --a------ C:\ss_udp2.dat
2007-03-20 00:34 122 --a------ C:\ss_udp.dat
2007-03-20 00:34 122 --a------ C:\ss_nb.dat
2007-03-08 15:50 -------- d-------- C:\Program Files\quicktime
2007-02-23 17:53 0 --a------ C:\WINDOWS\brdfxspd.dat
2007-02-21 18:28 3732 --a------ C:\WINDOWS\mozver.dat
2007-02-21 16:20 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2007-02-13 15:17 1024 --a------ C:\DOCUME~1\PSP\APPLIC~1\wavcodec.wff

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} c:\documents and settings\all users\documents\Acrobat\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\DOCUME~1\PSP\MYDOCU~1\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"EPSON Stylus Photo RX500"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2K1.EXE /P24 \"EPSON Stylus Photo RX500\" /O6 \"USB001\" /M \"Stylus Photo RX500\""
"Auto EPSON Stylus Photo RX500 on ANTEC"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2K1.EXE /P38 \"Auto EPSON Stylus Photo RX500 on ANTEC\" /O16 \"\\\\ANTEC\\Printer3\" /M \"Stylus Photo RX500\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"eTrustPPAP"="\"C:\\documents and settings\\all users\\documents\\eTrust PestPatrol\\PPActiveDetection.exe\""
"QOELOADER"="\"c:\\Documents and Settings\\PSP\\My Documents\\Frontiernet\\eTrust Anti-Spam\\QSP-2.1.215.5\\QOELoader.exe\""
"Zone Labs Client"="\"c:\\documents and settings\\psp\\my documents\\frontiernet\\eTrust EZ Firewall\\ca.exe\""
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"BrMfcWnd"="C:\\Program Files\\Brother\\Brmfcmon\\BrMfcWnd.exe /AUTORUN"
"ControlCenter3"="C:\\Program Files\\Brother\\ControlCenter3\\brctrcen.exe /autorun"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Documents and Settings\\PSP\\My Documents\\My Music\\iTunes\\iTunesHelper.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Documents and Settings\\PSP\\My Documents\\Malware Software\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Nero\\data\\Xtras\\mssysmgr.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PaSystem"="\"C:\\Program Files\\pasystem\\pasystem.exe\""
"SpriteService"="\"C:\\Program Files\\Sprite Software\\Sprite Backup\\SpriteService.exe\""
"H/PC Connection Agent"="\"C:\\Documents and Settings\\PSP\\My Documents\\Treo My Documents\\Wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{04DCB78C-AB45-83AD-A86A-6DFB90277939}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
bthsvcs REG_MULTI_SZ BthServ\

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a63858d2-afe2-11da-9e05-0010c691481d}]
Shell\AutoRun\command F:\setupSNK.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\PPv5Scan_Daily as PSP at 10 00 PM.job
C:\WINDOWS\tasks\PPv5Scan_Daily as PSP at 9 17 AM.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 01:33:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-06 1:33:14
C:\ComboFix-quarantined-files.txt ... 07-05-06 01:33

#8 bob4

MalwareTeam Emeritus

Authentic Member
2,205 posts

Posted 06 May 2007 - 06:46 AM

____________________________
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\mp43.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan select My Computer

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

_____________________________
Submit 3 files to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.
Get the results for each.

C:\ss_udp2.dat
C:\ss_udp.dat
C:\ss_nb.dat

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

___________________________
In your next reply I would like to see:

A new HJT log
The report from Jottis/Virus total
The report from Kasperskys.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#9 Cigar

New Member

New Member
7 posts

Posted 06 May 2007 - 10:52 PM

Bob4, Here are the next results.

Logfile of HijackThis v1.99.1
Scan saved at 11:41:56 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\PSP\My Documents\Malware Software\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\PSP\My Documents\Malware Software\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\pasystem\pasystem.exe
C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe
C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\rapimgr.exe
C:\Documents and Settings\All Users\Documents\Distillr\AcroTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\documents and settings\all users\documents\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PSP\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX500 on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P38 "Auto EPSON Stylus Photo RX500 on ANTEC" /O16 "\\ANTEC\Printer3" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eTrustPPAP] "C:\documents and settings\all users\documents\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "c:\Documents and Settings\PSP\My Documents\Frontiernet\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "c:\documents and settings\psp\my documents\frontiernet\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\PSP\My Documents\My Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\PSP\My Documents\Malware Software\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - HKCU\..\Run: [SpriteService] "C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Documents and Settings\PSP\My Documents\Treo My Documents\Wcescomm.exe"
O4 - Global Startup: Acrobat Assistant.lnk = Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\DOCUME~1\ALLUSE~1\DOCUME~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\DOCUME~1\PSP\MYDOCU~1\TREOMY~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1178499354625
O17 - HKLM\System\CCS\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF9B7014-A4AA-4F04-B1AA-2C26CB6282F8}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7D871DF-2CBE-4E42-A532-C6B52A6DAF52}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC526106-6568-430D-AF4D-CA242E23CCF2}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C98A1A-231B-440F-96E3-9B8AE343C12D}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7C138B6-0E31-47D6-B621-DB3947C11B51}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer = 194.54.90.226
O17 - HKLM\System\CS2\Services\Tcpip\..\{546CE1EB-57D3-4249-A20D-73D06E654FDF}: NameServer = 194.54.90.226
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\PSP\My Documents\Malware Software\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

______________________________________________________________________________________________________________________________________

ss_udp2.dat result

Last file scanned at least one scanner reported something about: TMPGEnc.exe (MD5: 7c858ecd540ce19c0c3af98d06b07492, size: 885760 bytes), detected by:

Scan taken on 07 May 2007 04:31:15 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast Win32:Delf-AF
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 X

ss_udp.dat result

Scan taken on 07 May 2007 04:36:50 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Scanner Malware name
A-Squared X
AntiVir HEUR/Crypted
ArcaVir X
Avast Win32:Agent-BHU
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Secure Anti-Virus Packed.Win32.CryptExe
Fortinet X
Kaspersky Anti-Virus Packed.Win32.CryptExe
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 Backdoor.Dragonbot.1

ss_nb.dat result

Scan taken on 07 May 2007 04:38:48 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Scanner Malware name
A-Squared X
AntiVir HEUR/Crypted
ArcaVir X
Avast Win32:Agent-BHU
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Secure Anti-Virus Packed.Win32.CryptExe
Fortinet X
Kaspersky Anti-Virus Packed.Win32.CryptExe
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 Backdoor.Dragonbot.1

_________________________________________________________________________________________________________________________________

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 06, 2007 11:28:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/05/2007
Kaspersky Anti-Virus database records: 314065
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 63490
Number of viruses found: 6
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:01:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys81fc2c5fb8db8326ccc7f0c4858efbb_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeyse6b607eb838585bf6ee8e07ae94e17d_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35b1210d269e8b4f7f00ff5ee8b42f3d_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3f003994f1d8fe4840d483d878d6237e_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\52ab47692faacfe3903f2b1dab8d006f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5397eddb1ba243440a4ca47e45bab85a_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60ddb14d4cde391fecfaac6505ac836f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7187d63dbd1852744a4ae7dac4ab2a2e_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7623c631d5c80b7fb322a92970610be2_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c841bea59d70e6781b6a1162e155cfae_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05052007-222632.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\PSP\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\PSP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\PSP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\PSP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\PSP\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0FD873C3-8270-45C2-B6F4-B5B39CF86E70} Object is locked skipped
C:\Documents and Settings\PSP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PSP\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\PSP\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\PSP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PSP\My Documents\Malware Software\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\PSP\My Documents\Malware Software\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\PSP\My Documents\Malware Software\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\PSP\My Documents\My Mobile Device Backups\SpriteLog.txt Object is locked skipped
C:\Documents and Settings\PSP\ntuser.dat Object is locked skipped
C:\Documents and Settings\PSP\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP130\A0044256.exe Infected: not-a-virus:RiskTool.Win32.Starter.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0051457.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0051458.exe Infected: Trojan-Downloader.Win32.Tiny.fy skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0051462.exe Infected: not-a-virus:AdWare.Win32.CASClient.l skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0051463.sys Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0052529.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0052554.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP174\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\CIGAR.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{53DF52D3-D991-46EA-9D61-ECAB1A744022}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_370.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT0174c.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#10 bob4

MalwareTeam Emeritus

Authentic Member
2,205 posts

Posted 07 May 2007 - 04:43 AM

The only thing Kasperskys found were in restore points which we will deal with in a bit. They are safe there for now.

______________________________
You have iTunesHelper.exe running at Startup. iTunesHelper.exe is a process belonging to Itunes MP3 streaming tool
by Apple which allows you to play MP3's. This process speeds up iTunes when it starts, and the program also monitors
for connected iPod devices. This program is not required to start automatically as you can start it manually if you need it.
It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis.
This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
____________________________
You have QuickTime running at Startup. This is QuickTime's system tray icon and not necessary for the program to function properly. It is considered to be a resource hog.
You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in QuickTime
Player itself to keep it from resetting itself.. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Post 1 last HJT log and let me know how things seem to be running.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#11 Cigar

New Member

New Member
7 posts

Posted 07 May 2007 - 09:13 PM

Bob4, I can't even get to a webpage now on the infected computer. It takes me to unrelated websites no matter what I type. this happens in the Google search or the address bar with a direct url. I am at the end of my rope. Your help has been great, but my patience with the person that created this has run out. I am in the process of taking my pictures off, and wiping the machine clean and putting in a freah install of Windows. I had to reply to this post on my work computer. Thanks again.-cigar

#12 bob4

MalwareTeam Emeritus

Authentic Member
2,205 posts

Posted 08 May 2007 - 04:40 AM

this topic will be closed. If you need help please start a new thread and post a new HJT log

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Body Background

skin color theme