Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] I'm at Wit's End! Multiple Problems with P


  • This topic is locked This topic is locked
8 replies to this topic

#1 duke singer

duke singer

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 10 November 2007 - 10:11 PM

Hi!

I've had multiple infections over the last few months and have tried EVERYTHING to fix them. At one point, I even deleted Windows and everything else on my hard drive and then re-installed it. The latest of my problems was a virus that changed my desktop to some bright red color. After doing some research, I concluded that it was a Schmidt Fraud and downloaded a Schmidt Fraud Fix. It took care of the desktop problem; however, whenever I surf the net, I get a manila-colored line at the top of my screen (similar to the Active-X ones) saying either that my computer is infected and I should "Click Here" or sometimes just "Click Here." This was accompanied by every once-in-a-while having my web page automatically re-directed to Privacy Guard or some porn something or other remover. I tried following the instructions on another thread (not having read that this isn't the most advisable course of action) and ran AVG Anti-Spyware. This hasn't helped. As per the instructions, I downloaded Hijack This and ran a scan with a report. Below please find the results. Any help you can render will be IMMENSLY! appreciated.

Thanks!

Warm Regards,

Marc


Logfile of HijackThis v1.99.1
Scan saved at 10:58:23 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\ALCXMNTR.EXE
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
I:\WINDOWS\AGRSMMSG.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - I:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - I:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - I:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSVPS System - {C4F4DBBD-4A4C-4B40-97DA-2FE06DBB2901} - I:\WINDOWS\bndsrwgo.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - I:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: The netadv - {F17B1418-2C0C-4295-BD55-BCDD3C730FBE} - I:\WINDOWS\netadv.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "I:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\MpcStar\Codecs\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] I:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://I:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://I:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://I:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - I:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - I:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E18946D-062C-44D6-8A1B-953B17D36BD7}: NameServer = 205.152.144.23 205.152.132.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E18946D-062C-44D6-8A1B-953B17D36BD7}: NameServer = 205.152.144.23 205.152.132.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - I:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - I:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - I:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - I:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - I:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 11 November 2007 - 12:01 PM

Hi! Welcome to the WTT forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.



Download and Run SmitfraudFix
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 duke singer

duke singer

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 11 November 2007 - 09:37 PM

Thanks for your help! The requested reports are below: Adobe Acrobat 8 Professional - English, Français, Deutsch Adobe Flash Player 9 ActiveX Adobe Shockwave Player AGEIA PhysX v7.01.12 Agere Systems PCI Soft Modem Anvil Studio AppCore Apple Mobile Device Support Apple Software Update AV AVG Anti-Spyware 7.5 BitComet 0.91 ccCommon DivX Codec DivX Content Uploader DivX Converter DivX Player DivX Web Player Google Toolbar for Firefox Google Toolbar for Internet Explorer Google Toolbar for Internet Explorer Hijackthis 1.99.1 HijackThis 1.99.1 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB926239) HP Product Detection iTunes Java™ 6 Update 3 LiveUpdate 3.1 (Symantec Corporation) LiveUpdate Notice (Symantec Corporation) Magic ISO Maker v5.3 (build 0216) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Enterprise 2007 Microsoft Office Enterprise 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Groove MUI (English) 2007 Microsoft Office Groove Setup Metadata MUI (English) 2007 Microsoft Office InfoPath MUI (English) 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable MSRedist Norton AntiVirus Norton Confidential Browser Component Norton Confidential Web Protection Component Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security (Symantec Corporation) Norton Protection Center PowerISO QuickTime RealPlayer Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937143) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB939653) Security Update for Windows XP (KB941202) Sid Meier's Civilization 4 Sid Meier's Civilization III SPBBC 32bit The Rosetta Stone Two Worlds Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB933360) Update for Windows XP (KB938828) Windows Installer 3.1 (KB893803) Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 WinRAR archiver SmitFraudFix v2.252 Scan done at 22:36:31.48, Sun 11/11/2007 Run from I:\Documents and Settings\Cochitas\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process I:\WINDOWS\System32\smss.exe I:\WINDOWS\system32\winlogon.exe I:\WINDOWS\system32\services.exe I:\WINDOWS\system32\lsass.exe I:\WINDOWS\system32\svchost.exe I:\WINDOWS\System32\svchost.exe I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe I:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe I:\WINDOWS\system32\spoolsv.exe I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe I:\WINDOWS\Explorer.EXE I:\WINDOWS\ALCXMNTR.EXE I:\Program Files\Common Files\Symantec Shared\ccApp.exe I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe I:\WINDOWS\AGRSMMSG.exe I:\Program Files\Common Files\Real\Update_OB\realsched.exe I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe I:\Program Files\iTunes\iTunesHelper.exe I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe I:\WINDOWS\system32\ctfmon.exe I:\Program Files\iPod\bin\iPodService.exe I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe I:\Program Files\Hijackthis\HijackThis.exe I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE I:\WINDOWS\system32\notepad.exe I:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» I:\ »»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» I:\Documents and Settings\Cochitas »»»»»»»»»»»»»»»»»»»»»»»» I:\Documents and Settings\Cochitas\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» I:\DOCUME~1\Cochitas\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» I:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: WAN (PPP/SLIP) Interface DNS Server Search Order: 205.152.144.23 DNS Server Search Order: 205.152.132.23 HKLM\SYSTEM\CCS\Services\Tcpip\..\{0E18946D-062C-44D6-8A1B-953B17D36BD7}: NameServer=205.152.144.23 205.152.132.23 HKLM\SYSTEM\CS1\Services\Tcpip\..\{0E18946D-062C-44D6-8A1B-953B17D36BD7}: NameServer=205.152.144.23 205.152.132.23 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 12 November 2007 - 03:44 AM

Hi

Download and Save ComboFix
  • Download this file from below:

    Here
  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#5 duke singer

duke singer

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 12 November 2007 - 11:01 AM

Here are the two most recent reports. Thanks again for your help!




Logfile of HijackThis v1.99.1
Scan saved at 11:59:11 AM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\ALCXMNTR.EXE
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
I:\WINDOWS\AGRSMMSG.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
I:\WINDOWS\system32\notepad.exe
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - I:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - I:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - I:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - I:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: The netadv - {F17B1418-2C0C-4295-BD55-BCDD3C730FBE} - I:\WINDOWS\netadv.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "I:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\MpcStar\Codecs\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] I:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://I:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://I:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://I:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - I:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - I:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E18946D-062C-44D6-8A1B-953B17D36BD7}: NameServer = 205.152.144.23 205.152.132.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E18946D-062C-44D6-8A1B-953B17D36BD7}: NameServer = 205.152.144.23 205.152.132.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - I:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - I:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - I:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - I:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - I:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


ComboFix 07-11-08.3 - Cochitas 2007-11-12 11:00:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT -5:00]
Running from: I:\Documents and Settings\Cochitas\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\WINDOWS\bndsrwgo.dll
I:\WINDOWS\dat.txt
I:\WINDOWS\rs.txt
I:\WINDOWS\search_res.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-12 10:59 51,200 --a------ I:\WINDOWS\NirCmd.exe
2007-11-10 20:43 <DIR> d-------- I:\Documents and Settings\Cochitas\Application Data\Grisoft
2007-11-10 20:43 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-10 20:43 10,872 --a------ I:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-05 11:39 <DIR> d-------- I:\Program Files\Kazaa
2007-11-01 02:10 <DIR> d-------- I:\Documents and Settings\Cochitas\.housecall6.6
2007-11-01 02:09 <DIR> d-------- I:\WINDOWS\Sun
2007-11-01 02:08 <DIR> d-------- I:\Program Files\Java
2007-11-01 02:07 <DIR> d-------- I:\Program Files\Common Files\Java
2007-10-31 22:53 2,374 --a------ I:\WINDOWS\system32\tmp.reg
2007-10-30 19:55 625,032 --a------ I:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ I:\WINDOWS\system32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ I:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ I:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 39,856 --a------ I:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 37,936 --a------ I:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 35,120 --a------ I:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 27,696 --a------ I:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 12,848 --a------ I:\WINDOWS\system32\drivers\symdns.sys
2007-10-25 11:38 <DIR> d-------- I:\Documents and Settings\Cochitas\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 16:03 --------- d-----w I:\Program Files\Common Files\Symantec Shared
2007-11-12 15:44 --------- d-----w I:\Documents and Settings\All Users\Application Data\Symantec
2007-11-06 17:40 --------- d-----w I:\Program Files\Norton Internet Security
2007-11-06 16:13 805 ----a-w I:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-06 16:13 123,952 ----a-w I:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-06 16:13 10,740 ----a-w I:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-06 16:13 --------- d-----w I:\Program Files\Symantec
2007-11-05 16:43 --------- d--h--w I:\Program Files\InstallShield Installation Information
2007-10-31 00:24 12,963 ----a-w I:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 00:24 1,358 ----a-w I:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-12 04:24 --------- d-----w I:\Program Files\DexCorp
2007-10-10 15:22 --------- d-----w I:\Documents and Settings\Cochitas\Application Data\Anvil Studio
2007-10-10 13:18 --------- d-----w I:\Program Files\Anvil Studio
2007-10-10 13:16 --------- d-----w I:\Program Files\BitComet
2007-10-10 13:05 --------- d-----w I:\Program Files\iTunes
2007-10-10 13:05 --------- d-----w I:\Program Files\iPod
2007-10-10 13:05 --------- d-----w I:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-10 12:56 --------- d-----w I:\Program Files\QuickTime
2007-10-04 14:01 --------- d-----w I:\Documents and Settings\All Users\Application Data\pixelStorm
2007-09-28 16:59 --------- d-----w I:\Documents and Settings\Cochitas\Application Data\My Games
2007-09-28 16:47 163,644 ----a-w I:\WINDOWS\system32\drivers\secdrv.sys
2007-09-28 16:38 --------- d-----w I:\Program Files\Firaxis Games
2007-09-28 16:37 --------- d-----w I:\Program Files\Common Files\InstallShield
2007-09-26 15:52 --------- d-----w I:\Program Files\DivX
2007-09-25 14:20 --------- d-----w I:\Program Files\Common Files\Adobe
2007-09-25 14:19 --------- d-----w I:\Program Files\Common Files\Macrovision Shared
2007-09-25 14:19 --------- d-----w I:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-22 18:16 --------- d-----w I:\Program Files\Windows Media Connect 2
2007-09-19 17:55 --------- d-----w I:\Program Files\Common Files\xing shared
2007-09-19 17:55 --------- d-----w I:\Program Files\Common Files\Real
2007-09-19 17:54 --------- d-----w I:\Program Files\Google
2007-09-19 16:34 8,552 ----a-w I:\WINDOWS\system32\drivers\asctrm.sys
2007-09-19 16:34 --------- d-----w I:\Program Files\Real
2007-09-19 16:32 --------- d-----w I:\Program Files\MpcStar
2007-09-18 19:44 10,662 ----a-w I:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 19:44 10,662 ----a-w I:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 19:44 10,658 ----a-w I:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 19:44 1,430 ----a-w I:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 19:44 1,421 ----a-w I:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 19:44 1,415 ----a-w I:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 19:43 43,696 ----a-w I:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 19:43 317,616 ----a-w I:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 19:43 278,576 ----a-w I:\WINDOWS\system32\drivers\srtsp.sys
2007-09-13 22:33 --------- d-----w I:\Documents and Settings\Cochitas\Application Data\Apple Computer
2007-09-13 22:30 --------- d-----w I:\Program Files\Apple Software Update
2007-09-13 22:29 --------- d-----w I:\Program Files\Common Files\Apple
2007-09-13 22:29 --------- d-----w I:\Documents and Settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F17B1418-2C0C-4295-BD55-BCDD3C730FBE}"= I:\WINDOWS\netadv.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{F17B1418-2C0C-4295-BD55-BCDD3C730FBE}]
[HKEY_CLASSES_ROOT\netadv.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}]
[HKEY_CLASSES_ROOT\netadv.ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 I:\WINDOWS\ALCXMNTR.EXE]
"ccApp"="I:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-02 19:04]
"osCheck"="I:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 13:22]
"GrooveMonitor"="I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"Symantec PIF AlertEng"="I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 08:06 I:\WINDOWS\AGRSMMSG.exe]
"TkBellExe"="I:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-19 12:53]
"Acrobat Assistant 8.0"="I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 22:24]
"QuickTime Task"="I:\Program Files\MpcStar\Codecs\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="I:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"SunJavaUpdateSched"="I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"!AVG Anti-Spyware"="I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-03 18:33]
"ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"AdobeUpdater"="I:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-10-10 11:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\Setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 12:44:02 I:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- I:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-11 00:20:15 I:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Cochitas.job"
- I:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 11:04:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 11:06:07 - machine was rebooted
.
--- E O F ---

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 12 November 2007 - 11:19 AM

Hi

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

File::
I:\WINDOWS\netadv.dll

Folder::
I:\Documents and Settings\Cochitas\Desktop\SmitfraudFix 

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F17B1418-2C0C-4295-BD55-BCDD3C730FBE}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F17B1418-2C0C-4295-BD55-BCDD3C730FBE}]
[-HKEY_CLASSES_ROOT\netadv.ToolBar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}]
[-HKEY_CLASSES_ROOT\netadv.ToolBar]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.


Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a new HijackThis log.
With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#7 duke singer

duke singer

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 12 November 2007 - 11:06 PM

Ok...here are the results of the scan and the new Hijack This Log...Thanks again for all of your help! :thumbup:


Tuesday, November 13, 2007 12:04:36 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/11/2007
Kaspersky Anti-Virus database records: 457177


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 53148
Number of viruses found 7
Number of infected objects 18
Number of suspicious objects 0
Duration of the scan process 01:32:42

Infected Object Name Virus Name Last Action
I:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp6F963A3.TMP Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\494C04AB.TMP Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

I:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

I:\Documents and Settings\Cochitas\.housecall6.6\Quarantine\Di2.exe.bac_a02136 Infected: Trojan-Downloader.Win32.Zlob.gen skipped

I:\Documents and Settings\Cochitas\Cookies\index.dat Object is locked skipped

I:\Documents and Settings\Cochitas\Desktop\tutto\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

I:\Documents and Settings\Cochitas\Desktop\tutto\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

I:\Documents and Settings\Cochitas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

I:\Documents and Settings\Cochitas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

I:\Documents and Settings\Cochitas\Local Settings\History\History.IE5\index.dat Object is locked skipped

I:\Documents and Settings\Cochitas\Local Settings\History\History.IE5\MSHist012007111220071113\index.dat Object is locked skipped

I:\Documents and Settings\Cochitas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

I:\Documents and Settings\Cochitas\NTUSER.DAT Object is locked skipped

I:\Documents and Settings\Cochitas\ntuser.dat.LOG Object is locked skipped

I:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

I:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

I:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

I:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

I:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

I:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

I:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

I:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

I:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

I:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

I:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

I:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

I:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

I:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

I:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

I:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

I:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

I:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

I:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

I:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

I:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

I:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

I:\qoobox\Quarantine\I\Documents and Settings\Cochitas\Desktop\SmitfraudFix\Reboot.exe.vir Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

I:\qoobox\Quarantine\I\WINDOWS\bndsrwgo.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.do skipped

I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP5\A0000481.exe/data0002 Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP5\A0000481.exe NSIS: infected - 1 skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP66\A0013133.dll Infected: not-a-virus:AdWare.Win32.Agent.sb skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP66\A0013135.dll Infected: not-a-virus:AdWare.Win32.Agent.qz skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP66\A0013136.exe Infected: not-a-virus:AdWare.Win32.Agent.oi skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP66\A0013139.exe Infected: Trojan-Downloader.Win32.Zlob.gen skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP82\A0014235.exe Infected: Trojan-Downloader.Win32.Zlob.gen skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP93\A0014481.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP93\A0014484.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP93\A0014484.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP93\A0014484.exe RarSFX: infected - 2 skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP94\A0014495.dll Infected: not-a-virus:AdWare.Win32.Agent.do skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP95\A0014550.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

I:\System Volume Information\_restore{39BD4BBA-8B42-4998-9368-9DF9860FE283}\RP95\change.log Object is locked skipped

I:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

I:\WINDOWS\SchedLgU.Txt Object is locked skipped

I:\WINDOWS\SoftwareDistribution\EventCache\{A4591584-FAB0-40E2-9794-3E3DA8337EE5}.bin Object is locked skipped

I:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

I:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

I:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

I:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

I:\WINDOWS\system32\config\default Object is locked skipped

I:\WINDOWS\system32\config\default.LOG Object is locked skipped

I:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

I:\WINDOWS\system32\config\OSession.evt Object is locked skipped

I:\WINDOWS\system32\config\SAM Object is locked skipped

I:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

I:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

I:\WINDOWS\system32\config\SECURITY Object is locked skipped

I:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

I:\WINDOWS\system32\config\software Object is locked skipped

I:\WINDOWS\system32\config\software.LOG Object is locked skipped

I:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

I:\WINDOWS\system32\config\system Object is locked skipped

I:\WINDOWS\system32\config\system.LOG Object is locked skipped

I:\WINDOWS\system32\h323log.txt Object is locked skipped

I:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

I:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

I:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

I:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

I:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

I:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

I:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

I:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 12:05:28 AM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\ALCXMNTR.EXE
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
I:\WINDOWS\AGRSMMSG.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
I:\WINDOWS\explorer.exe
I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - I:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - I:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - I:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - I:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "I:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\MpcStar\Codecs\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] I:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://I:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://I:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://I:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - I:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - I:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E18946D-062C-44D6-8A1B-953B17D36BD7}: NameServer = 205.152.144.23 205.152.132.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E18946D-062C-44D6-8A1B-953B17D36BD7}: NameServer = 205.152.144.23 205.152.132.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - I:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - I:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - I:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - I:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - I:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - I:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "I:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 13 November 2007 - 06:42 AM

Hi

You wish to keep Kaspersky's Online Scan as an extra on-demand virus scanner, but if not this can be removed via Add/Remove Programs.



Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image
  • When shown the disclaimer, Select "2"
Here are some free programs I recommend, although you will not need them all.

Spybot Search and Destroy
Download it from here . Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"


Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#9 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 18 November 2007 - 07:13 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users