Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijack This Log [CLOSED]

Started by manogolf , Nov 23 2007 12:18 PM

This topic is locked

#1
manogolf

Posted 23 November 2007 - 12:18 PM

Member

Member
13 posts

(2nd Edit)

My situation took an ugly turn yesterday. I installed ZoneAlarm and now I am unable to login without a blue screen letting me know windows has stopped to protect my system. Trying to use safe mode is not working. The screen for starting in safe mode (or other options) will come up but I am unable to scroll using the up arrow to highlight safe mode as a start up option. If I could start in safe mode I would uninstall ZoneAlarm too see if that helps.

Hopefully there is enough information in the hijack this file to restore a working PC because I am unable to use it any longer. Thankfully I have another PC on a network and can update my post, otherwise I would truly be desperate. Unfortunately this is the family computer and my business applications are on the dead one. Looking forward to some advice

Jerry

(Edited Post)

As much as I did not want I went ahead and clicked the annoying anti-everything solution for my PC. Its name is AVSystemCare.
Additionally I am unable to update software from Microsoft without receiving this notice.

Network policy settings prevent you from using this website to get updates for your computer.

If you believe you have received this message in error, please contact your system administrator.
Read more about steps you can take to resolve this problem (error number 0x8DDD0003) yourself.

Furthermore I am unable to update user settings without receiving same.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:55 AM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\savedump.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\system32\crypserv.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\MsPMSPSv.exe
H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
H:\Program Files\Windows Home Server\WHSConnector.exe
H:\Program Files\Softwin\BitDefender10\vsserv.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\Explorer.exe
H:\WINDOWS\system32\msanton.exe
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\WINDOWS\SM1BG.EXE
H:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
H:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
H:\Program Files\Softwin\BitDefender10\bdagent.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\WINDOWS\CTHELPER.EXE
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\Messenger\msmsgs.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Skype\Phone\Skype.exe
H:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
H:\Program Files\The Internet Marketing Center\Desktop Marketer 3\Readers\518\574\Theme Zoom

By Referral Only.exe
H:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
H:\Program Files\Windows Home Server\WHSTrayApp.exe
H:\Program Files\Microsoft Office\Office10\msoffice.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
H:\Program Files\Skype\Plugin Manager\skypePM.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe H:\WINDOWS\system32\msanton.exe
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - H:\Program Files\Siber

Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - H:\Program

Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Omea - {35402C01-1777-4159-9ABA-3480BA70D90A} - H:\Program

Files\JetBrains\Omea\IexploreOmeaW.dll
O3 - Toolbar: Home Server Banner - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - H:\Program

Files\Windows Home Server\WHSDeskBands.dll
O3 - Toolbar: Starware Lottery Toolbar - {1962c5bc-e475-465b-823b-133e711bceb9} - H:\Program

Files\Starware365\bin\Starware365.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] H:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [WebArmyKnife] H:\DOCUME~1\Jerry\LOCALS~1\Temp\Temporary Directory 1 for

webarmyknife.zip\WAK.exe q
O4 - HKLM\..\Run: [eFax 4.1] "H:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [TosGbWatcher] "H:\Program Files\TOSHIBA\gigabeat room

2.0.2\TosGbWatcher.exe"
O4 - HKLM\..\Run: [BDMCon] "H:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "H:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Disc Detector] H:\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [version] H:\WINDOWS\system32\timoty.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [dumprep] H:\WINDOWS\system32\spools.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "H:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "H:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "H:\Program

Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "H:\Program Files\Siber Systems\AI

RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [froody] H:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Theme Zoom By Referral Only] "H:\Program Files\The Internet Marketing

Center\Desktop Marketer 3\Readers\518\574\Theme Zoom By Referral Only.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [FFTI] H:\Documents and Settings\Jerry\Application

Data\Mozilla\Firefox\Profiles\ggqfefsd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474

FED}\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FFTI] H:\Documents and Settings\Jerry\Application

Data\Mozilla\Firefox\Profiles\ggqfefsd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474

FED}\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Startup: setings.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 8.lnk = H:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: startup.exe
O4 - Global Startup: Windows Home Server.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Clip and Edit - res://H:\Program

Files\JetBrains\Omea\IexploreOmeaW.dll/1000
O8 - Extra context menu item: Clip and Save - res://H:\Program

Files\JetBrains\Omea\IexploreOmeaW.dll/1001
O8 - Extra context menu item: Customize Menu - file://H:\Program Files\Siber Systems\AI

RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://H:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://H:\Program Files\Siber Systems\AI

RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://H:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://H:\Program Files\Siber Systems\AI

RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Subscribe to Feed - res://H:\Program

Files\JetBrains\Omea\IexploreOmeaW.dll/1002
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://H:\Program

Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://H:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://H:\Program

Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -

file://H:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://H:\Program

Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} -

file://H:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

H:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {35402C01-1777-4159-9ABA-3480BA70D901} - H:\Program

Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra 'Tools' menuitem: Omea Add-on Options… - {35402C01-1777-4159-9ABA-3480BA70D901} -

H:\Program Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Subscribe to Feed - {35402C01-1777-4159-9ABA-3480BA70D903} - H:\Program

Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Edit - {35402C01-1777-4159-9ABA-3480BA70D905} - H:\Program

Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Save - {35402C01-1777-4159-9ABA-3480BA70D907} - H:\Program

Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Annotate - {35402C01-1777-4159-9ABA-3480BA70D909} - H:\Program

Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O15 - Trusted Zone: http://www.womensgol...l.ladyogolf.com
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) -

http://67.15.101.3/g...re_2_0_0_23.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros...ite.cab?1144550

139171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...uweb_site.cab?1

195761170859
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -

http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) -

http://aolsvc.aol.co...itched/main.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://download.game...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://contentdesk....bex/ieatgpc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcaf...168/mcfscan.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) -

http://aolsvc.aol.co...ia.1.0.0.22.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

H:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: H:\WINDOWS\system32\skuns.dat
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - H:\Program Files\Common

Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner -

H:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - H:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GoogleDesktopManager - Google - H:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - H:\Program

Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - H:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - H:\Program

Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - H:\Program Files\Common

Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 13886 bytes

Site Map Maker 1.4
3D-FTP 7.01
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
Affiliate Cloner
Affiliates Alert 1.1.134
AI RoboForm (All Users)
Apple Mobile Device Support
Apple Software Update
Article Miner
AVG Anti-Spyware 7.5
Back Link Analyzer v2.0-cp
BitDefender Antivirus v10
BlogDesk 2.7
Brushstrokes Demo
Camtasia Studio 2
Camtasia Studio 3
Charter Music
CoffeeCup Flash Form Builder
CoffeeCup HTML Editor 2006
CoffeeCup Image Mapper
CoffeeCup PixConverter
CoffeeCup RSS News Flash
CoffeeCup StyleSheet Maker
CoffeeCup Website Color Schemer
ColorPic
CP210x USB to UART Bridge Controller
CSVed 1.3.9
Cypress USB Mass Storage Driver Installation
DupeFree Pro
eFax Messenger 4.1
ExpirePro Full
FileZilla (remove only)
FLV Player 1.3.3
Free Monitor for Google 2.0
GoogEdit (Google® AdWords® Editing) Tool
Google AdWords Editor
Google Desktop
HijackThis 2.0.2
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IdeaMason 3.1.5
ImgBurn (Remove Only)
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
JetBrains Omea
Keyword Locator (remove only)
Link Popularity Check 3.0.2
Macromedia Contribute 3.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8 Plugin
Market Research Wizard
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft File Transfer Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft ODBC .NET Data Provider
Microsoft Office XP Media Content
Microsoft Office XP Standard for Students and Teachers
Mindjet MindManager Viewer 6
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (2.0.0.9)
Mozilla Thunderbird (1.5.0.7)
MP3 Rocket
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Napster
Napster Burn Engine
neroxml
Online Gold Finder
Panda ActiveScan
PSPad editor
Quicken 2006
QuickTime
Rapid Niche Websites System
Rapid Niche Websites System
RapidFormatter Videos
Realtek AC'97 Audio
RollerCoaster Tycoon® 3
RSS Submit v2.30
Search Automator 1.0
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Skype™ 3.5
SnagIt 8
SnagIt 8
SUPERAntiSpyware Free Edition
The Food Database 1.0
Theme Zoom By Referral Only
Top Keyword Data
TOSHIBA gigabeat applications 2.0.2
TurboTax Deluxe 2005
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
URGE
USB Storage Adapter FX (SM1)
Web 2.0 Submitter
WebEx
WebEx Recorder and Player
WexTech AnswerWorks
Winamp (remove only)
Windows Defender
Windows Defender Signatures
Windows Home Server Connector
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
XMailWrite
XSite Pro
Yahoo! Toolbar
YH-920 Driver & Utilities

I am unable to update from the microsoft site because of user setting notification. Also I am unable to change user settings.

Thanks,

Jerry

Edited by manogolf, 24 November 2007 - 09:44 AM.

#2
racenutalways

Posted 28 November 2007 - 08:21 AM

Member 1K

Retired Staff
1,675 posts

Hi manogolf and welcome to G2G, you may been hit with the smitfraud infection for one, let's get started,

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Once I receive the logs I will reply with a proposed fix and we will take control of that computer back.

#3
manogolf

Posted 28 November 2007 - 08:24 PM

Member

Topic Starter
Member
13 posts

Thanks for taking my case head on!

I would love to get started with your instruction however I am unable to login to windows, not able to start safe mode, and am ignored by the OS when attempting to boot from CD. AS you can see I'm a little out of sorts with my PC and frankly have run out of ideas about getting around windows through the side or back door. If we could start with finding a way into the OS I would really appreciate it.

Thanks

Jerry

#4
manogolf

Posted 01 December 2007 - 12:47 PM

Member

Topic Starter
Member
13 posts

Since I have not received a reply I am beginning to conclude the problems I am experiencing are beyond the scope of this forum. If I have failed to describe my issues with enough detail please advise and I will make another attempt. If I am overlooking a obvious tactic please be candid and provide what it is I should do.

I do not expect something for nothing and I appreciate that you provide a donation link. If my issues are atypical and require contract negotiations please be frank enough to say so. I would much rather help out someone here than take my PC to a local box store help center.

Many Thanks,

Jerry

#5
manogolf

Posted 01 December 2007 - 07:43 PM

Member

Topic Starter
Member
13 posts

Tip of the day!
If you have a wireless keyboard you will not be able to scroll for starting in safe mode or selecting any key to boot from CD.

Now that I can once again access my desktop I've run Smitfraudfix and combofix. Following are the logs:

ComboFix 07-12-02.5 - Jerry 2007-12-01 17:14:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.504 [GMT -8:00]
Running from: H:\Documents and Settings\Jerry\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\WINDOWS\system32\drivers\ctl_w32.sys
H:\WINDOWS\system32\ntio256.sys
H:\WINDOWS\system32\protector.exe
H:\WINDOWS\system32\skuns.dat
.
---- Previous Run -------
.
H:\Documents and Settings\Janet\Application Data\install.dat
H:\Documents and Settings\Jerry\g2mdlhlpx.exe
H:\WINDOWS\dracee.exe
H:\WINDOWS\ksacre.exe
H:\WINDOWS\system32\4_exception.nls
H:\WINDOWS\system32\drivers\ctl_w32.sys
H:\WINDOWS\system32\drivers\ip6fw.sys
H:\WINDOWS\system32\kprof
H:\WINDOWS\system32\ntio256.sys
H:\WINDOWS\system32\poof
H:\WINDOWS\system32\protector.exe
H:\WINDOWS\system32\skuns.dat
H:\WINDOWS\Temp\145750.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTIO256
-------\LEGACY_POOF
-------\ctl_w32
-------\kprof
-------\ntio256
-------\poof
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-01 16:43 . 2007-12-01 17:06 4,022 --a------ H:\WINDOWS\system32\tmp.reg
2007-12-01 16:38 . 2007-12-01 16:38 <DIR> d-------- H:\Documents and Settings\Administrator\Application Data\Talkback
2007-12-01 16:38 . 2007-12-01 16:38 87,552 --a------ H:\WINDOWS\system32\spoolc.exe
2007-12-01 16:38 . 2007-12-01 16:38 16,384 --a------ H:\WINDOWS\dcxxygx.exe
2007-12-01 16:31 . 2007-12-01 16:31 20,992 --a------ H:\WINDOWS\daverx.exe
2007-11-23 20:38 . 2007-11-23 20:43 4,212 ---h----- H:\WINDOWS\system32\zllictbl.dat
2007-11-23 20:36 . 2007-12-01 16:23 <DIR> d-------- H:\WINDOWS\Internet Logs
2007-11-23 10:04 . 2007-11-23 10:04 <DIR> d-------- H:\Program Files\Trend Micro
2007-11-23 07:32 . 2007-11-23 07:42 <DIR> d-------- H:\WINDOWS\system32\ActiveScan
2007-11-23 07:32 . 2007-11-23 07:32 30,590 --a------ H:\WINDOWS\system32\pavas.ico
2007-11-23 07:32 . 2007-11-23 07:32 2,550 --a------ H:\WINDOWS\system32\Uninstall.ico
2007-11-23 07:32 . 2007-11-23 07:32 1,406 --a------ H:\WINDOWS\system32\Help.ico
2007-11-22 22:13 . 2007-11-22 22:13 <DIR> d-------- H:\Documents and Settings\Emily\Application Data\Grisoft
2007-11-22 22:01 . 2007-11-22 22:01 <DIR> d-------- H:\Documents and Settings\Lindsey\Application Data\Grisoft
2007-11-22 21:25 . 2007-11-23 07:44 <DIR> d-------- H:\Program Files\SUPERAntiSpyware
2007-11-22 21:25 . 2007-11-22 21:25 <DIR> d-------- H:\Documents and Settings\Jerry\Application Data\SUPERAntiSpyware.com
2007-11-22 21:25 . 2007-11-22 21:25 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-22 19:32 . 2007-11-22 19:32 <DIR> d-------- H:\Documents and Settings\Jerry\Application Data\Grisoft
2007-11-22 19:32 . 2007-11-22 19:32 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-22 19:32 . 2007-05-30 04:10 10,872 --a------ H:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-22 19:13 . 2007-11-22 19:13 <DIR> d-------- H:\Documents and Settings\Janet.JJBE-571059D129\Application Data\Talkback
2007-11-22 11:17 . 2007-11-22 11:17 <DIR> d-------- H:\WINDOWS\McAfee.com
2007-11-22 10:14 . 2007-11-22 10:14 6,144 --a------ H:\WINDOWS\system32\timoty.exe
2007-11-22 10:14 . 2007-11-22 10:14 6,144 --a------ H:\WINDOWS\system32\msanton.exe
2007-11-21 17:05 . 2007-11-21 17:05 <DIR> d-------- H:\WINDOWS\system32\QuickTime
2007-11-21 17:04 . 2006-06-15 03:12 45,056 --a------ H:\WINDOWS\system32\CSvidcap.dll
2007-11-17 07:24 . 2007-12-01 16:38 291,328 --a------ H:\WINDOWS\system32\libcurl.dll
2007-11-12 19:19 . 2007-11-12 19:20 <DIR> d-------- H:\Program Files\IdeaMason 3.0
2007-11-12 19:19 . 2007-11-12 19:19 <DIR> d-------- H:\Documents and Settings\Jerry\Application Data\MasonWare LLC
2007-11-05 20:34 . 2007-11-05 20:34 <DIR> d-------- H:\Documents and Settings\Janet.JJBE-571059D129\Application Data\Bitdefender
2007-11-05 19:45 . 2007-11-23 07:43 <DIR> d-------- H:\Program Files\Windows Defender
2007-11-04 09:11 . 2007-11-04 09:11 <DIR> d-------- H:\Program Files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 01:25 --------- d-----w H:\Documents and Settings\Jerry\Application Data\Skype
2007-12-02 01:12 --------- d-----w H:\Documents and Settings\Jerry\Application Data\SiteAdvisor
2007-11-24 02:16 --------- d-----w H:\Program Files\3D-FTP
2007-11-23 16:49 --------- d-----w H:\Program Files\Windows Home Server
2007-11-23 16:38 --------- d-----w H:\Program Files\iTunes
2007-11-23 16:37 --------- d-----w H:\Program Files\eFax Messenger 4.1
2007-11-23 05:24 --------- d-----w H:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 01:05 --------- d-----w H:\Documents and Settings\All Users\Application Data\TechSmith
2007-11-22 01:04 --------- d-----w H:\Program Files\TechSmith
2007-11-20 18:31 --------- d-----w H:\Program Files\MusicSoftware
2007-11-04 17:11 --------- d-----w H:\Program Files\Skype
2007-11-04 17:11 --------- d-----w H:\Documents and Settings\All Users\Application Data\Skype
2007-10-29 03:12 --------- d-----w H:\Program Files\BlogDesk
2007-10-25 02:28 --------- d-----w H:\Program Files\Digital Design Ltd
2007-10-25 02:28 --------- d-----w H:\Documents and Settings\Jerry\Application Data\Digital Design Ltd
2007-10-20 13:29 --------- d-----w H:\Program Files\Nick Arcade
2007-10-20 13:26 --------- d-----w H:\Program Files\Nick Jr. Arcade
2007-10-20 13:26 --------- d-----w H:\Program Files\FeedReader30
2007-10-20 13:24 --------- d-----w H:\Program Files\InterActual
2007-10-15 23:23 --------- d-----w H:\Program Files\Java
2007-10-14 03:19 --------- d-----w H:\Program Files\Conference
2007-05-17 05:05 20,736 ----a-w H:\Documents and Settings\Jerry\Application Data\GDIPFONTCACHEV1.DAT
2006-11-18 06:24 66,046 ----a-w H:\Program Files\Dupe_Free_0_NO_VISTA.ico
2006-05-11 16:04 460 ----a-w H:\Program Files\INSTALL.LOG
2006-03-31 16:40 3,167,744 ----a-w H:\Documents and Settings\Janet\gosetup.exe
2003-08-27 22:19 36,963 ----a-w H:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1962C5BC-E475-465B-823B-133E711BCEB9}"= H:\Program Files\Starware365\bin\Starware365.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{1962c5bc-e475-465b-823b-133e711bceb9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="H:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Skype"="H:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31]
"updateMgr"="H:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"RoboForm"="H:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-09-28 19:30]
"froody"="H:\WINDOWS\system32\timoty.exe" [2007-11-22 10:14]
"SUPERAntiSpyware"="H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39]
"Theme Zoom By Referral Only"="H:\Program Files\The Internet Marketing Center\Desktop Marketer 3\Readers\518\574\Theme Zoom By Referral Only.exe" [2007-11-22 19:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SM1BG"="H:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"eFax 4.1"="H:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" [2005-12-16 15:59]
"TosGbWatcher"="H:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe" [2005-04-26 02:02]
"BDMCon"="H:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-04-17 03:28]
"BDAgent"="H:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-04-10 11:18]
"SoundMan"="SOUNDMAN.EXE" [2004-10-26 22:49 H:\WINDOWS\SOUNDMAN.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 H:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 H:\WINDOWS\system32\CTXFIHLP.EXE]
"Disc Detector"="H:\Creative\ShareDLL\ctnotify.exe" []
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"NWEReboot"="" []
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"Google Desktop Search"="H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-16 17:17]
"Windows Defender"="H:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"!AVG Anti-Spyware"="H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"dumprep"="H:\WINDOWS\system32\spoolc.exe" [2007-12-01 16:38]
"clkhost"="H:\WINDOWS\dcxxygx.exe" [2007-12-01 16:38]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="H:\Documents and Settings\Jerry\Application Data\Mozilla\Firefox\Profiles\ggqfefsd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\unins000.exe" []

H:\Documents and Settings\Emily\Start Menu\Programs\Startup\
setings.exe [2007-11-22 10:14:22]

H:\Documents and Settings\Janet.JJBE-571059D129\Start Menu\Programs\Startup\
setings.exe [2007-11-22 10:14:22]

H:\Documents and Settings\Jerry\Start Menu\Programs\Startup\
setings.exe [2007-11-22 10:14:22]

H:\Documents and Settings\Lindsey\Start Menu\Programs\Startup\
setings.exe [2007-11-22 10:14:22]

H:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
setings.exe [2007-11-22 10:14:22]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - H:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SnagIt 8.lnk - H:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2006-11-30 11:52:24]
startup.exe [2007-11-22 10:14:22]
Windows Home Server.lnk - H:\WINDOWS\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2007-07-15 08:07:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)
"NoWindowsUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= H:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
H:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 H:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 Spssys;Toshiba SPS Service;H:\WINDOWS\system32\drivers\spssys.sys
R2 WHSConnector;Windows Home Server Connector Service;"H:\Program Files\Windows Home Server\WHSConnector.exe"
S3 Aldebaran;Aldebaran - Storage Filter Drivers;\??\H:\WINDOWS\system32\Drivers\Aldebaran.sys
S3 BackupReader;BackupReader;H:\WINDOWS\system32\DRIVERS\BackupReader.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\G:\INSTAL~E\Core\BVRPMPR5.SYS
S3 ewdmaudn;ewdmaudn;\??\H:\DOCUME~1\Jerry\LOCALS~1\Temp\ewdmaudn.sys
S3 PortlUSB;PortlUSB;H:\WINDOWS\system32\DRIVERS\yepp920.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c979f6e-32e2-11dc-8916-806d6172696f}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ccc5835-9902-11db-bef5-003018a1f539}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d880f55c-9643-11da-93b9-806d6172696f}]
\Shell\AutoRun\command - G:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 19:30:01 H:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- H:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-02 01:33:13 H:\WINDOWS\Tasks\MP Scheduled Scan.job"
- H:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 17:31:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-01 17:34:35 - machine was rebooted
.
--- E O F ---

SmitFraudFix v2.256

Scan done at 17:06:19.73, Sat 12/01/2007
Run from H:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\system32\crypserv.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\MsPMSPSv.exe
H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
H:\Program Files\Windows Home Server\WHSConnector.exe
H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
H:\Program Files\Softwin\BitDefender10\vsserv.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\WINDOWS\SM1BG.EXE
H:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
H:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Softwin\BitDefender10\bdmcon.exe
H:\Program Files\Softwin\BitDefender10\bdagent.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\WINDOWS\CTHELPER.EXE
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\WINDOWS\system32\timoty.exe
H:\Program Files\Messenger\msmsgs.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Skype\Phone\Skype.exe
H:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
H:\Program Files\The Internet Marketing Center\Desktop Marketer 3\Readers\518\574\Theme Zoom By Referral Only.exe
H:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
H:\Program Files\Microsoft Office\Office10\msoffice.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Windows Home Server\WHSTrayApp.exe
H:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
H:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
H:\Program Files\Skype\Plugin Manager\skypePM.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» H:\

»»»»»»»»»»»»»»»»»»»»»»»» H:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» H:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» H:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» H:\WINDOWS\system32

H:\WINDOWS\system32\skuns.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» H:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» H:\Documents and Settings\Jerry

»»»»»»»»»»»»»»»»»»»»»»»» H:\Documents and Settings\Jerry\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» H:\DOCUME~1\Jerry\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» H:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sockspy.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9615FB69-2786-4C21-9C8A-4A07DECD746A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9615FB69-2786-4C21-9C8A-4A07DECD746A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9615FB69-2786-4C21-9C8A-4A07DECD746A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Hope that helps.

Thanks,

Jerry

#6
racenutalways

Posted 04 December 2007 - 12:42 PM

Member 1K

Retired Staff
1,675 posts

Sorry for the late reply, was away do to health issues, let's get rid of that Smitfraud infection and do some cleaning,

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
H:\WINDOWS\system32\tmp.reg
H:\WINDOWS\dcxxygx.exe
H:\WINDOWS\daverx.exe
H:\WINDOWS\system32\timoty.exe
H:\WINDOWS\system32\msanton.exe
H:\Documents and Settings\Administrator\Start Menu\Programs\Startup\setings.exe
H:\Documents and Settings\Lindsey\Start Menu\Programs\Startup\setings.exe
H:\Documents and Settings\Jerry\Start Menu\Programs\Startup\setings.exe
H:\Documents and Settings\Janet.JJBE-571059D129\Start Menu\Programs\Startup\setings.exe
H:\Documents and Settings\Emily\Start Menu\Programs\Startup\setings.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1962C5BC-E475-465B-823B-133E711BCEB9}"=-

[-HKEY_CLASSES_ROOT\clsid\{1962c5bc-e475-465b-823b-133e711bceb9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"froody"=-
"clkhost"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you also use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you also use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

SUPERAntiSpyware Home Edition (free version) - Download - Home Page

1. Install it and double-click the icon on your desktop to run it.
2. It will ask if you want to update the program definitions, click Yes.
3. Under Configuration and Preferences, click the Preferences button.
4. Click the Scanning Control tab.
5. Under Scanner Options make sure the following are checked:

1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Please leave the others unchecked.
5. Click the Close button to leave the control center screen.

6. On the main screen, under Scan for Harmful Software click Scan your computer.
7. On the left check C:\Fixed Drive.
8. On the right, under Complete Scan, choose Perform Complete Scan.
9. Click Next to start the scan. Please be patient while it scans your computer.
10. After the scan is complete a summary box will appear. Click OK.
11. Make sure everything in the white box has a check next to it, then click Next.
12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
13. To retrieve the removal information for me please do the following:

1. After reboot, double-click the SUPERAntispyware icon on your desktop.
2. Click Preferences. Click the Statistics/Logs tab.
3. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
4. It will open in your default text editor (such as Notepad/Wordpad).
5. Please highlight everything in the notepad, then right-click and choose copy.

14. Click close and close again to exit the program.
15. Save the log information. If needed (still infected) paste this info along with your HijackThis log.

#7
racenutalways

Posted 17 December 2007 - 08:04 AM

Member 1K

Retired Staff
1,675 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.