Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Infected with Riyocodec


  • This topic is locked This topic is locked
8 replies to this topic

#1 msce06

msce06

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 01 October 2007 - 12:24 AM

I downloaded and installed Riyocodec. I know my registry was changed. I ran Ad-Aware SE and it found the following three adware registries:

Adware.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{967a494a-6aec-4555-9caf-fa6eb00acf91}

Adware.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5}

Adware.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226}

I deleted them manually several times, but they keep coming back. I can't get rid of them. Please help. Thank you. My computer seem to be functioning OK. Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:33 AM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
S:\AdAware\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {0D5227BF-0C5B-4EA8-833C-FE09F1496F39} - C:\WINDOWS\div32.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - S:\AdobePro8\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - S:\AdobePro8\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [AWMON] "S:\AdAware\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.c...cripts/ie-e.htm
O8 - Extra context menu item: Append to existing PDF - res://S:\AdobePro8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://S:\AdobePro8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://S:\AdobePro8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://S:\AdobePro8\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://S:\AdobePro8\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://S:\AdobePro8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://S:\AdobePro8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://S:\AdobePro8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.updat...b?1187855046218
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188971084761
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188971072745
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04ECFDC9-F5AF-4476-B4BD-DFEA42E45106}: NameServer = 70.247.191.160,4.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{04ECFDC9-F5AF-4476-B4BD-DFEA42E45106}: NameServer = 70.247.191.160,4.2.2.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: syscore - {6E407D38-8758-4A86-818E-3B0B8EA82728} - C:\WINDOWS\syscore.dll
O21 - SSODL: mssql - {5ED11195-E81E-4E07-9573-C812B4947E01} - C:\WINDOWS\mssql.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 9826 bytes

Edited by msce06, 01 October 2007 - 12:25 AM.

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 01 October 2007 - 05:14 AM

Hi! Welcome to the WTT forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

Download and Run SmitfraudFix
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 msce06

msce06

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 01 October 2007 - 02:14 PM

I ran the JijackThis Uninstall Manager and here's the list: ACE-HIGH MP3 WAV WMA OGG Converter Ad-Aware SE Professional Adobe Acrobat 8.1.0 Professional Adobe Flash Player 9 ActiveX Adobe Flash Player Plugin Apple Mobile Device Support ArcSoft Camera Suite 2.1 ArcSoft Funhouse ArcSoft Panorama Maker 3.5 ArcSoft PhotoPrinter 4.0 ArcSoft ShowBiz DVD 2 ArcSoft ShowBiz DVD 2.0 (Shared Components) ASUSUpdate AT&T Yahoo! Applications ATI - Software Uninstall Utility ATI Catalyst Control Center ATI Display Driver ATI HYDRAVISION ATI Parental Control & Encoder ATI Problem Report Wizard Bentley IEG License Service BroadJump Client Foundation Brookstone Image Transfer 1.0 DVD Photo Slideshow Pro 6.70 DVD Suite DVD43 v3.9.0 DVD-Cover Printmaster 1.2 Easy CD-DA Extractor 10 FreeRIP v3.00 GameShadow HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) HP Deskjet 6900 series HP Imaging Device Functions 6.0 HP My Display HP Photosmart Essential HP Software Update HP Solution Center and Imaging Support Tools 6.0 IconForge beta version 7.20 iTunes LMReaders Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Enterprise 2007 Microsoft Office Enterprise 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Groove MUI (English) 2007 Microsoft Office Groove Setup Metadata MUI (English) 2007 Microsoft Office InfoPath MUI (English) 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft User-Mode Driver Framework Feature Pack 1.0 Mozilla Firefox (2.0.0.6) Mozilla Firefox (2.0.0.7) MSXML 4.0 SP2 (KB936181) Nero Media Player Nero PhotoShow Express Nero Suite NVIDIA Drivers Photo Story 3 for Windows PhotoMontage 2000 Pivot Software PowerDVD PowerISO PowerProducer QuickTime Realtek AC'97 Audio RISA-2D Educational SBC Self Support Tool SDK Search Assistant - My Search Security Update for Excel 2007 (KB936509) Security Update for Microsoft .NET Framework 2.0 (KB928365) Security Update for Office 2007 (KB934062) Security Update for Office 2007 (KB936514) Security Update for Publisher 2007 (KB936646) Security Update for the 2007 Microsoft Office System (KB936960) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Spy Sweeper STAAD.Pro 20.07.01.01 SureThing CD Labeler Deluxe 4 Update for Office 2007 (KB932080) Update for Office 2007 (KB934391) Update for Office 2007 (KB934393) Update for Outlook 2007 (KB937608) Update for Outlook 2007 Junk Email Filter (kb936644) Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Word 2007 (KB934173) Video Access Codec v1.4 Visual IP InSight(SBC) WebVideo Support Windows Driver Package - (mr7910) Image 08/08/2006 1.4.0.0 Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Service Pack 2 I ran SmitFraudFix and here's the log: SmitFraudFix v2.234 Scan done at 14:56:08.98, Mon 10/01/2007 Run from M:\downloads\New Folder (2)\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe S:\AdAware\Ad-Aware SE Professional\Ad-Watch.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\System32\svchost.exe M:\downloads\Webroot Spy Sweeper 5.5.1 Build 3354\Installation Folder\Spy Sweeper\SpySweeper.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\WINDOWS\system32\wscntfy.exe M:\downloads\Webroot Spy Sweeper 5.5.1 Build 3354\Installation Folder\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Yahoo!\Antivirus\VetMsg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe M:\downloads\Webroot Spy Sweeper 5.5.1 Build 3354\Installation Folder\Spy Sweeper\SSU.EXE C:\WINDOWS\system32\cmd.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\div32.dll FOUND ! C:\WINDOWS\main_uninstaller.exe FOUND ! C:\WINDOWS\mssql.dll FOUND ! C:\WINDOWS\syscore.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\michael »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\michael\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\michael\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop C:\DOCUME~1\michael\Desktop\Error Cleaner.url FOUND ! C:\DOCUME~1\michael\Desktop\Privacy Protector.url FOUND ! C:\DOCUME~1\michael\Desktop\Spyware?Malware Protection.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\VideoAccessCodec\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport DNS Server Search Order: 70.247.191.160 DNS Server Search Order: 4.2.2.3 HKLM\SYSTEM\CCS\Services\Tcpip\..\{04ECFDC9-F5AF-4476-B4BD-DFEA42E45106}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{04ECFDC9-F5AF-4476-B4BD-DFEA42E45106}: NameServer=70.247.191.160,4.2.2.3 HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BD3DDD8-00D8-49EA-8B3E-98E80475B950}: DhcpNameServer=192.168.0.1 192.168.0.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{04ECFDC9-F5AF-4476-B4BD-DFEA42E45106}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{04ECFDC9-F5AF-4476-B4BD-DFEA42E45106}: NameServer=70.247.191.160,4.2.2.3 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End I'm getting a lot of pop-up windows warning me that my computer is infected with a virus called trojan.w32.looksy. Then I'm directed to some "antivirus" web site. I noticed that I have three unknown shortcuts in my desktop: Error Cleaner, Privacy Protector, and SpyWare and Protection. I also noticed that there's a new program installed in my computer called video access codec, but I can't uninstall it. I ran my antivirus software, Ad-Aware SE, and Spy Sweeper, and none of them found anything.

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 02 October 2007 - 02:31 AM

Hi

Run Smitfraudfix
Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


Download and Run ComboFix
  • Download this file from below:

    Here
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#5 msce06

msce06

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 03 October 2007 - 03:29 AM

I ran my computer in safe mode and executed option 2 of SmitfraudFix. It fixed my computer. Thank you very much for your help.

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 03 October 2007 - 04:51 AM

Do you not want to finish the clean up?
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#7 msce06

msce06

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 03 October 2007 - 10:59 PM

I ran Combofix and this is the log it generated:



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\michael\Application Data\inst.exe
C:\WINDOWS\advpn.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt

.
((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-03 23:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 03:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-10-01 15:32 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-01 15:25 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-01 15:25 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-01 15:25 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-01 15:25 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-01 15:25 25,088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-01 14:56 1,432 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-01 02:36 24,128 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 02:36 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 02:36 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-01 02:36 160,320 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-01 02:36 1,521,216 --a------ C:\WINDOWS\WRSetup.dll
2007-10-01 02:36 <DIR> d-------- C:\Documents and Settings\michael\Application Data\Webroot
2007-10-01 02:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-01 02:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-01 02:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-01 02:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-01 00:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-08 00:35 <DIR> d-------- C:\WINDOWS\system32\winsecurityxp
2007-09-05 00:32 708,608 --a------ C:\WINDOWS\system32\Resecure60.dll
2007-09-05 00:32 6,539 --a------ C:\WINDOWS\system32\WinGPDrv.dat
2007-09-05 00:32 6,535 --a------ C:\WINDOWS\system32\NGWinDrv.dat
2007-09-05 00:32 458,752 --a------ C:\WINDOWS\system32\LiveUpdate.dll
2007-09-05 00:32 1,290,240 --a------ C:\WINDOWS\system32\NGWinSys.dll
2007-09-05 00:31 <DIR> d-------- C:\Program Files\VectorDraw
2007-09-05 00:31 <DIR> d-------- C:\Program Files\Common Files\RAM Common
2007-09-05 00:30 <DIR> d-------- C:\Program Files\Common Files\Bentley Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 16:20 --------- d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-01 02:24 --------- d-------- C:\Documents and Settings\michael\Application Data\uTorrent
2007-09-26 20:14 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-16 23:35 --------- d-------- C:\Documents and Settings\michael\Application Data\Apple Computer
2007-09-12 14:11 --------- d-------- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2007-09-11 13:42 879832 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-09-11 13:42 74864 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-09-11 13:42 26787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-09-11 13:42 21031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-09-11 13:42 15735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-09-11 13:42 15478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-09-11 13:42 115824 --a------ C:\WINDOWS\UnVet32.exe
2007-09-11 13:42 111728 --a------ C:\WINDOWS\AVShlExt.dll
2007-09-11 13:42 108360 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-09-11 13:42 --------- d-------- C:\Program Files\Yahoo!
2007-09-11 13:42 --------- d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-11 13:37 --------- d-------- C:\Program Files\Common Files\Scanner
2007-08-30 00:29 --------- d-------- C:\Program Files\QuickTime
2007-08-30 00:29 --------- d-------- C:\Program Files\iPod
2007-08-30 00:29 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-28 23:06 --------- d-------- C:\Program Files\Hewlett-Packard
2007-08-28 23:06 --------- d-------- C:\Program Files\Common Files\HP
2007-08-28 22:50 --------- d-------- C:\Program Files\HP
2007-08-25 18:02 --------- d-------- C:\Documents and Settings\michael\Application Data\CursorArts
2007-08-25 05:27 --------- d-------- C:\Documents and Settings\michael\Application Data\Axialis
2007-08-25 04:49 --------- d-------- C:\Documents and Settings\michael\Application Data\XnView
2007-08-25 02:04 --------- d-------- C:\Documents and Settings\All Users\Application Data\Icon Constructor 3
2007-08-23 03:19 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-18 03:19 --------- d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-17 19:58 --------- d-------- C:\Documents and Settings\michael\Application Data\Snapfish
2007-08-15 23:05 --------- d-------- C:\Documents and Settings\michael\Application Data\HP
2007-08-15 21:58 --------- d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-08-15 21:56 --------- d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-08-15 19:26 --------- d-------- C:\Program Files\Atech Flash PRO-Gear XM-4U
2007-08-09 15:11 --------- dr-h----- C:\Documents and Settings\michael\Application Data\yahoo!
2007-07-31 02:25 142696 --a------ C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-09 21:45 62009 --a------ C:\WINDOWS\system32\wpfb_ati2dvag.dll
2007-06-16 04:49 47360 --a------ C:\Documents and Settings\michael\Application Data\pcouffin.sys
2007-06-16 03:32 87608 --a------ C:\Documents and Settings\michael\Application Data\ezpinst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"IPInSightLAN 01"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 01:52]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 C:\WINDOWS\SOUNDMAN.EXE]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" []
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-09-11 13:42]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-09-11 13:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"AWMON"="S:\AdAware\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 12:12]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"S:\AdobePro8\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"S:\AdAware\Ad-Aware SE Professional\Ad-Watch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"S:\Daemon\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
S:\HP Printer 6980\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
"C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
S:\LGDVD\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
S:\fwupdate.exe blrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
S:\NERO6U~1\Ahead\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
S:\LGDVD\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"RasMan"=3 (0x3)
"LightScribeService"=2 (0x2)

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\S:\PowerDVD 7\PowerDVD Install0.fcl
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 EUCR;ENE USB Mass Storage;C:\WINDOWS\system32\DRIVERS\EUCR6SK.SYS
R3 PdiPorts;Portrait Displays low level device driver;C:\WINDOWS\system32\Drivers\PdiPorts.sys
R3 pivotmou;Pivot Mouse/Pointers Filter Driver;\??\C:\WINDOWS\system32\drivers\pivotmou.sys
S3 FreshIO;FreshIO;\??\S:\PCpitstop\FreshDiagnose\FreshIO.sys
S3 JumpShot;Lexar Media USB Compact Flash Driver;C:\WINDOWS\system32\DRIVERS\LEXAR2K.SYS
S3 pdiddcci;DDC/CI monitor;C:\WINDOWS\system32\DRIVERS\pdiddcci.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 23:45:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-03 23:47:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-03 23:47
.
--- E O F ---

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 04 October 2007 - 02:46 AM

Hi

We are nearly done.

Open Notepad and Copy/Paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\winsecurityxp

Save this as "CFScript"

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a new HijackThis log.

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#9 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 09 October 2007 - 08:30 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users