Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Riyo Codec - Reports


  • This topic is locked This topic is locked
4 replies to this topic

#1 inert_goo

inert_goo

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 20 October 2007 - 03:50 AM

These are the reports from the two applications. Fixwareout and Hijackthis.

Username "Dimitris" - 20/10/2007 12:21:24 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdweo.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.54 85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1DF3667B-0AE1-4A0F-B068-E37B813FCB79}
"nameserver"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6D18EF8B-FE3C-43EF-BF73-3186B0475C4B}
"nameserver"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{702B6DC3-D56E-4F64-8643-CE80443BC31A}
"nameserver"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7319B430-39BB-4D96-A7CD-B200A464D97F}
"nameserver"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E507937E-50E6-4171-94E8-633EE79ABDED}
"nameserver"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F09A706F-BC9F-433C-901B-E6C5B9E7A959}
"nameserver"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1DF3667B-0AE1-4A0F-B068-E37B813FCB79}
"DhcpNameServer"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6D18EF8B-FE3C-43EF-BF73-3186B0475C4B}
"DhcpNameServer"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{702B6DC3-D56E-4F64-8643-CE80443BC31A}
"DhcpNameServer"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7319B430-39BB-4D96-A7CD-B200A464D97F}
"DhcpNameServer"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E507937E-50E6-4171-94E8-633EE79ABDED}
"DhcpNameServer"="85.255.115.54,85.255.112.23" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F09A706F-BC9F-433C-901B-E6C5B9E7A959}
"DhcpNameServer"="85.255.115.54,85.255.112.23" <Value cleared.

Πέτυχε η εκκένωση της μνήμης cache Ανάλυσης DNS.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdweo.ren 72285 04/09/2004

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"Ai Quicker Help"="\"C:\\Program Files\\ASUS\\ASUS DH Remote\\AsRc.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of HijackThis v1.99.1
Scan saved at 12:40:27 μμ, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dimitris\Επιφάνεια εργασίας\VIF\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr...ex/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170877290812
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DF3667B-0AE1-4A0F-B068-E37B813FCB79}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D18EF8B-FE3C-43EF-BF73-3186B0475C4B}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{702B6DC3-D56E-4F64-8643-CE80443BC31A}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{7319B430-39BB-4D96-A7CD-B200A464D97F}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{E507937E-50E6-4171-94E8-633EE79ABDED}: NameServer = 195.170.0.1,195.170.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F09A706F-BC9F-433C-901B-E6C5B9E7A959}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.54 85.255.112.23
O17 - HKLM\System\CS3\Services\Tcpip\..\{1DF3667B-0AE1-4A0F-B068-E37B813FCB79}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.54 85.255.112.23
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

My computer also runs a little slow. I'd be glad if you could help me.

    Advertisements

Register to Remove


#2 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 20 October 2007 - 01:25 PM

Welcome to the forum.

Enable hidden files:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK" (reverse this procedure when we are done)

---------------

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Power Manager (PowerManager)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

--------------

Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items if found:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DF3667B-0AE1-4A0F-B068-E37B813FCB79}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D18EF8B-FE3C-43EF-BF73-3186B0475C4B}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{702B6DC3-D56E-4F64-8643-CE80443BC31A}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{7319B430-39BB-4D96-A7CD-B200A464D97F}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{F09A706F-BC9F-433C-901B-E6C5B9E7A959}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.54 85.255.112.23
O17 - HKLM\System\CS3\Services\Tcpip\..\{1DF3667B-0AE1-4A0F-B068-E37B813FCB79}: NameServer = 85.255.115.54,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.54 85.255.112.23
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Click on Fix Checked and exit HijackThis.

-----------------

Go to Start > Run and paste this command into the open field hitting OK

sc delete PowerManager

---------------

Delete this file if found:
C:\WINDOWS\svchost.exe <----watch the locations, the good one is in C:\WINDOWS\SYSTEM32\

--------------------

Please do this for me..........
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Post a fresh HJT log and the rapport.txt.

MrC


#3 inert_goo

inert_goo

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 21 October 2007 - 07:58 AM

Thank you very much for your help...

Here are the two new logs from hijackthis and smitfraudfix

Logfile of HijackThis v1.99.1
Scan saved at 4:54:26 μμ, on 21/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Dimitris\Επιφάνεια εργασίας\VIF\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr...ex/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170877290812
O17 - HKLM\System\CCS\Services\Tcpip\..\{E507937E-50E6-4171-94E8-633EE79ABDED}: NameServer = 195.170.0.1,195.170.2.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


SmitFraudFix v2.240

Scan done at 16:52:30,06, ‰¬¨ 21/10/2007
Run from C:\Documents and Settings\Dimitris\„§ ­α¤œ ˜ œ¨š˜©ε˜\SmitfraudFix
OS: Microsoft Windows XP [λ΅›¦©ž 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dimitris


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dimitris\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Dimitris\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="’¨β®¦¬©˜ ˜¨® ΅γ ©œΆε›˜"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller - Πακέτο χρονοδιαγράμματος Miniport
DNS Server Search Order: 195.170.0.1
DNS Server Search Order: 195.170.2.2

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1DF3667B-0AE1-4A0F-B068-E37B813FCB79}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6D18EF8B-FE3C-43EF-BF73-3186B0475C4B}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CCS\Services\Tcpip\..\{702B6DC3-D56E-4F64-8643-CE80443BC31A}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7319B430-39BB-4D96-A7CD-B200A464D97F}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E507937E-50E6-4171-94E8-633EE79ABDED}: NameServer=195.170.0.1,195.170.2.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F09A706F-BC9F-433C-901B-E6C5B9E7A959}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{702B6DC3-D56E-4F64-8643-CE80443BC31A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1DF3667B-0AE1-4A0F-B068-E37B813FCB79}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6D18EF8B-FE3C-43EF-BF73-3186B0475C4B}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6D18EF8B-FE3C-43EF-BF73-3186B0475C4B}: NameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{702B6DC3-D56E-4F64-8643-CE80443BC31A}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{702B6DC3-D56E-4F64-8643-CE80443BC31A}: NameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7319B430-39BB-4D96-A7CD-B200A464D97F}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7319B430-39BB-4D96-A7CD-B200A464D97F}: NameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E507937E-50E6-4171-94E8-633EE79ABDED}: NameServer=195.170.0.1,195.170.2.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F09A706F-BC9F-433C-901B-E6C5B9E7A959}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F09A706F-BC9F-433C-901B-E6C5B9E7A959}: NameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1DF3667B-0AE1-4A0F-B068-E37B813FCB79}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6D18EF8B-FE3C-43EF-BF73-3186B0475C4B}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{702B6DC3-D56E-4F64-8643-CE80443BC31A}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7319B430-39BB-4D96-A7CD-B200A464D97F}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E507937E-50E6-4171-94E8-633EE79ABDED}: NameServer=195.170.0.1,195.170.2.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F09A706F-BC9F-433C-901B-E6C5B9E7A959}: DhcpNameServer=85.255.115.54,85.255.112.23
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Is the computer ok now or should I do something more?
Thanx in advance...

#4 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 21 October 2007 - 09:28 AM

Both logs look OK.....You're Good To Go!

If you have any questions - please post back

I'll leave you with........

Some Preventive Maintenance:

Some of the programs you may have run create backups of what was deleted - you can safely delete them now: (delete folders in blue) You can also delete/uninstall the programs themselves.

C:\!KillBox (KillBox)
C:\VundoFix Backups (VundoFix)
C:\QooBox (ComboFix)
C:\SDFix\backups\backups.zip (SDFix)
C:\avenger\backup.zip (Avenger)

If you used AVG Anti-Spyware and/or SuperAntiSpyware...........

Open up SuperAntiSpyware > Preferences > General and Start-up > Start-up Options > Uncheck > Start SAS when Windows Starts.
"SAS free" provides no real time protection so there's no need for it to be running, I suggest you keep the program and update regularly - you can use it to scan for malware. It's an excellent program. When you want to start it - just double click on the SAS icon.

AVG Anti-Spyware will provide 30 days of real time protection and then after that you can use it to scan for malware - you'll have to manually update it first.


------------------Must have or do:-----------------

Now that you're clean: <----Important Step!!!!
Delete your system restore files and create a new restore point (XP only):

Note: This will remove all previous Restore Points!

1. Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer,

2. Turn on System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UnCheck Turn off System Restore.
Click Apply, and then click OK.

Visit Windows Update and install all the lastest critical updates.

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked.

SpywareBlaster Check for updates weekly.

SpywareGuard

IE-SPYAD
Puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
or try the new ZonedOut

Blocking Unwanted Parasites with a Hosts File
Direct Download - MVPS HOSTS <==> MVPS HOSTS Tutorial

Need a free anti virus?
AVG*free
Avast Free
AntiVir® PersonalEdition Classic
-->Check for updates - daily<---

How about a firewall? The front door to your computer.
Windows firewall is not suffient...install a better one.
Comodo Free Firewall
ZoneAlarm*free
Other free firewalls

Keep those temp files off your system use
ATF Cleaner - hit "select all" then just uncheck "cookies" (uncheck cookies is optional - leave it checked if you want to delete all cookies) then "empty selected"
or
CCleaner
Uncheck "Cookies" under "Internet Explorer".
That will clear out all the temp files on the system.

IMPORTANT!!
Keep your Sun Java up-to-date JRE Version 6 Update 3<--newest version
Delete ALL old versions from add/remove programs if listed first!
Check HERE

Keep the registry backed up - use ERUNT
Print this out and save it
ERUNT Tutorial

Starter Manage you startup programs and services.

----------Free malware removal programs:----------

AVG Anti-Spyware<---VERY GOOD! (XP and 2K only)
SUPERAntiSpyware (free edition)<---Excellent!
AVG Anti-Rootkit Free Edition Run it!!
SpyBot
AD-Aware
CW-Shredder

Please consider using FireFox instead of Internet Explorer. A more secure browser! Easy to make the change!
FireFox Tutorial


Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

Disable "Windows Messenger Service" XP - 2K (stops pop-up ads -etc):
Shoot The Messenger

Anti-Rootkit Software - Detection, Removal & Protection

Reduce Online Fraud

Slow Computer - Check Here

Don't open e-mail attachments without first scanning them with an up-to-date anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Don't believe e-mails from your bank, financial institution, etc asking for personal informations - they're most likely fraudulent no matter how authentic they look.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good luck and thanks for using the forum - MrC


#5 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 25 October 2007 - 04:16 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users