Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I have Trojan horses - Downloader Agent [RESOLVED]

Started by destone , Jul 21 2006 02:38 AM

  • This topic is locked This topic is locked

#1
destone
Posted 21 July 2006 - 02:38 AM

destone

    New Member

  • Member
  • Pip
  • 8 posts
Hi,

As it turns out, I have a number of trojan horses etc in my computer. I will list the problems first, and then all the steps I have taken (as per your website's instructions). My operating system is Windows XP Pro with Service Pack 2.

The problems:

1) almost every program I use will lock up (even ones such as MS Excel & Word), and I have to use "control-alt-delete" to close them - it says program "not responding"

2) opening any program or doing any operation takes very long as often the CPU usage goes to and stays at 100%

3) most of the time I cannot connect to the internet, & when I double-click on the little 2-computer icon (at the bottom right of the screen), I get the message to check my connection/cables. Periodically, it will come online. To sent this to you, I am using my wife's computer.

4) my desktop has been taken over by a blank red screen, with a flashing box in the middle stating I should buy their anti-infection software (there is a link titled "RazeSpyware"). My program icons on the left are still there, and they do work, but very slowly. Also, I cannot right click on the desktop - nothing happens, I cannot get to its properties.

5) Sygate found 2 problem files in Windows\system32 (wvwkl.exe and pcqjf.exe) but I cannot open system32 in Windows Explorer, it just goes blank (even though I am the administrator.

6) In Regcleaner, there are always 2 entries listed as "new", even though I remove them each time. They are "Soundfont" and "Sygate Using Netport"

7) In C:\Program Files there is a folder called "xerox", which I did not install. It has a subfolder, "nwwia" which I cannot delete because it is always "in use". I used "control-alt-delete" to end the process, but I cannot get back to the file to delete it before it is running again.

The steps I have taken thus far:

1) I have run AVG, AdAware, Spybot many times. Most often they freeze while in system32, & occasionally a SYSTEM SHUTDOWN message from NT Authority System will appear, & the computer will shut down.

2) I went to your website & followed as many steps as I could:

3) I did Cleanup

4) tried AdAware - the computer shut down, even in Safe Mode, but, on the 4th try, it did make it through

5) did CWShredder

6) did Spybot, which stated that there was a problem in the "include file C:\Program Files\Spybot_Search_Destroy\Includes\Hijackers.sbi

7) did Ewido (but I couldn't update it as it is past the 30-day trial period)

8) cannot do Trend online scan as I cannot connect - wait - it just came on.
ran the Trend scan, it got quite a few, but couldn't get "TSPY_AGENT.TQ"

9) did AVG

10) did Trojan Hunter

11) rebooted - the internet connection is once again gone (an X over the icon)

- the desktop popup for RazeSpyware is gone, but the desktop is still blank (no picture) and I cannot access the properties

- with no applications open, the CPU usage still fluctuates between 2% and 100%

HERE ARE THE SCAN LOGS:

Logfile of HijackThis v1.99.1
Scan saved at 1:31:27 AM, on 7/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.vc.shawcable.net:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F9ECF2E-A6CE-4AE1-9330-995C734EEBEA}: NameServer = 85.255.116.36,85.255.112.75
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.36 85.255.112.75
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.36 85.255.112.75
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.36 85.255.112.75
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:08:57 PM, 7/20/2006
+ Report-Checksum: 931D55A7

+ Scan result:

C:\WINDOWS\system32\csolz.exe -> Downloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\dmflm.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\dmpum.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\rgvaz.exe -> Trojan.DNSChanger.ef : Cleaned with backup
C:\WINDOWS\system32\tfavr.exe -> Trojan.DNSChanger.ef : Cleaned with backup
C:\WINDOWS\system32\{F6FB892C-17B2-4F32-A2C1-0D6B9C5135F0}.exe -> Adware.Raze : Cleaned with backup


::Report End


THESE ARE THE 2 NEW ITEMS FOUND BY REGCLEANER:

RegCleaner 4.3 by Jouni Vuorio

Author : SoundFont
Software : Files
Age : New

If you choose to remove this item these keys would be removed
HKEY_LOCAL_MACHINE\Software\SoundFont\Files\0
HKEY_LOCAL_MACHINE\Software\SoundFont\Files
HKEY_CLASSES_ROOT\.ops
HKEY_CLASSES_ROOT\Access.Application.9\shell\open\command
HKEY_CLASSES_ROOT\Access.BlankDatabaseTemplate.9\shell\open\command
HKEY_CLASSES_ROOT\Access.BlankProjectTemplate.9\shell\open\command
HKEY_CLASSES_ROOT\Access.DatabaseWizardTemplate.9\shell\open\command
HKEY_CLASSES_ROOT\Access.Shortcut.DataAccessPage.1\shell\open\command
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1\shell\open\command
HKEY_CLASSES_ROOT\Access.Shortcut.Form.1\shell\open\command
HKEY_CLASSES_ROOT\Access.Shortcut.Macro.1\shell\open\command
HKEY_CLASSES_ROOT\Access.Shortcut.Module.1\shell\open\command
HKEY_CLASSES_ROOT\Access.Shortcut.Report.1\shell\open\command
HKEY_CLASSES_ROOT\Access.Shortcut.StoredProcedure.1\shell\open\command
HKEY_CLASSES_ROOT\Access.Shortcut.View.1\shell\open\command
HKEY_CLASSES_ROOT\Access.WizardDataFile.9\shell\open\command
HKEY_CLASSES_ROOT\Access.Workgroup.9\shell\open\command
HKEY_CLASSES_ROOT\accesshtmlfile\shell\open\command
HKEY_CLASSES_ROOT\accessthmltemplate\shell\open\command
HKEY_CLASSES_ROOT\acrobat\shell\open\command
HKEY_CLASSES_ROOT\AcroExch.Document\shell\open\command
HKEY_CLASSES_ROOT\AcroExch.Document.7\shell\open\command
HKEY_CLASSES_ROOT\AcroExch.FDFDoc\shell\open\command
HKEY_CLASSES_ROOT\AcroExch.XDPDoc\shell\open\command
HKEY_CLASSES_ROOT\AcroExch.XFDFDoc\shell\open\command
HKEY_CLASSES_ROOT\AIFFFile\shell\open\command
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_CLASSES_ROOT\ASFFile\shell\open\command
HKEY_CLASSES_ROOT\ASXFile\shell\open\command
HKEY_CLASSES_ROOT\AUFile\shell\open\command
HKEY_CLASSES_ROOT\AVIFile\shell\open\command
HKEY_CLASSES_ROOT\CakewalkBundleFile\shell\open\command
HKEY_CLASSES_ROOT\CakewalkProjectFile\shell\open\command
HKEY_CLASSES_ROOT\CakewalkTemplateFile\shell\open\command
HKEY_CLASSES_ROOT\cdafile\shell\open\command
HKEY_CLASSES_ROOT\certificate_wab_auto_file\shell\open\command
HKEY_CLASSES_ROOT\daap\shell\open\command
HKEY_CLASSES_ROOT\dqyfile
HKEY_CLASSES_ROOT\EBXTransfer\shell\open\command
HKEY_CLASSES_ROOT\EDNActivation\shell\open\command
HKEY_CLASSES_ROOT\Excel.Addin\shell\open\command
HKEY_CLASSES_ROOT\Excel.Backup\shell\open\command
HKEY_CLASSES_ROOT\Excel.Chart.8\shell\open\command
HKEY_CLASSES_ROOT\Excel.CSV\shell\open\command
HKEY_CLASSES_ROOT\Excel.DIF\shell\open\command
HKEY_CLASSES_ROOT\Excel.Macrosheet\shell\open\command
HKEY_CLASSES_ROOT\Excel.Sheet.8\shell\open\command
HKEY_CLASSES_ROOT\Excel.SLK\shell\open\command
HKEY_CLASSES_ROOT\Excel.Template\shell\open\command
HKEY_CLASSES_ROOT\Excel.Workspace\shell\open\command
HKEY_CLASSES_ROOT\Excel.XLL\shell\open\command
HKEY_CLASSES_ROOT\Excelhtmlfile\shell\open\command
HKEY_CLASSES_ROOT\Excelhtmltemplate\shell\open\command
HKEY_CLASSES_ROOT\FILEMGMT.FileSvcMgmtAboutObject.1
HKEY_CLASSES_ROOT\FILEMGMT.FileSvcMgmtExtObject.1
HKEY_CLASSES_ROOT\FILEMGMT.FileSvcMgmtObject.1
HKEY_CLASSES_ROOT\fphtmlfile\shell\open\command
HKEY_CLASSES_ROOT\giffile\shell\open\command
HKEY_CLASSES_ROOT\Google Earth.etafile\shell\open\command
HKEY_CLASSES_ROOT\Google Earth.kmlfile\shell\open\command
HKEY_CLASSES_ROOT\Google Earth.kmzfile\shell\open\command
HKEY_CLASSES_ROOT\gopher\shell\open\command
HKEY_CLASSES_ROOT\GraphicsLink.File\shell\open\command
HKEY_CLASSES_ROOT\htfile\shell\open\command
HKEY_CLASSES_ROOT\htmlfile\shell\open\command
HKEY_CLASSES_ROOT\HTTP\shell\open\command
HKEY_CLASSES_ROOT\https\shell\open\command
HKEY_CLASSES_ROOT\ifofile\shell\open\command
HKEY_CLASSES_ROOT\itms\shell\open\command
HKEY_CLASSES_ROOT\itmss\shell\open\command
HKEY_CLASSES_ROOT\itpc\shell\open\command
HKEY_CLASSES_ROOT\ITS FILE\shell\open\command
HKEY_CLASSES_ROOT\iTunes.aa\shell\open\command
HKEY_CLASSES_ROOT\iTunes.aif\shell\open\command
HKEY_CLASSES_ROOT\iTunes.aifc\shell\open\command
HKEY_CLASSES_ROOT\iTunes.aiff\shell\open\command
HKEY_CLASSES_ROOT\iTunes.cda\shell\open\command
HKEY_CLASSES_ROOT\iTunes.cdda\shell\open\command
HKEY_CLASSES_ROOT\iTunes.itl\shell\open\command
HKEY_CLASSES_ROOT\iTunes.itpc\shell\open\command
HKEY_CLASSES_ROOT\iTunes.m3u\shell\open\command
HKEY_CLASSES_ROOT\iTunes.m4a\shell\open\command
HKEY_CLASSES_ROOT\iTunes.m4b\shell\open\command
HKEY_CLASSES_ROOT\iTunes.m4p\shell\open\command
HKEY_CLASSES_ROOT\iTunes.m4v\shell\open\command
HKEY_CLASSES_ROOT\iTunes.mov\shell\open\command
HKEY_CLASSES_ROOT\iTunes.mp2\shell\open\command
HKEY_CLASSES_ROOT\iTunes.mp3\shell\open\command
HKEY_CLASSES_ROOT\iTunes.mpeg\shell\open\command
HKEY_CLASSES_ROOT\iTunes.mpg\shell\open\command
HKEY_CLASSES_ROOT\iTunes.pcast\shell\open\command
HKEY_CLASSES_ROOT\iTunes.pls\shell\open\command
HKEY_CLASSES_ROOT\iTunes.rmp\shell\open\command
HKEY_CLASSES_ROOT\iTunes.wav\shell\open\command
HKEY_CLASSES_ROOT\iTunes.wave\shell\open\command
HKEY_CLASSES_ROOT\jarfile\shell\open\command
HKEY_CLASSES_ROOT\JNLPFile\shell\open\command
HKEY_CLASSES_ROOT\jntfile\shell\open\command
HKEY_CLASSES_ROOT\jpegfile\shell\open\command
HKEY_CLASSES_ROOT\jtpfile\shell\open\command
HKEY_CLASSES_ROOT\klrun\shell\open\command
HKEY_CLASSES_ROOT\LDAP\shell\open\command
HKEY_CLASSES_ROOT\m3ufile\shell\open\command
HKEY_CLASSES_ROOT\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command
HKEY_CLASSES_ROOT\magnet\shell\open\command
HKEY_CLASSES_ROOT\mailto\shell\open\command
HKEY_CLASSES_ROOT\MediaPackageFile\shell\open\command
HKEY_CLASSES_ROOT\mhtmlfile\shell\open\command
HKEY_CLASSES_ROOT\MIDFile\shell\open\command
HKEY_CLASSES_ROOT\MMST\shell\open\command
HKEY_CLASSES_ROOT\MMSU\shell\open\command
HKEY_CLASSES_ROOT\mp3file\shell\open\command
HKEY_CLASSES_ROOT\mpegfile\shell\open\command
HKEY_CLASSES_ROOT\MS-ITSS FILE\shell\open\command
HKEY_CLASSES_ROOT\MSBD\shell\open\command
HKEY_CLASSES_ROOT\MSFSStore
HKEY_CLASSES_ROOT\msgfile\shell\open\command
HKEY_CLASSES_ROOT\MSInfo.Document\shell\open\command
HKEY_CLASSES_ROOT\NBBACKUPType\shell\open\command
HKEY_CLASSES_ROOT\NBCOMPRESSType\shell\open\command
HKEY_CLASSES_ROOT\NBJOBType\shell\open\command
HKEY_CLASSES_ROOT\Nero Cover Designer.Document\shell\open\command
HKEY_CLASSES_ROOT\Nero Cover Designer.Template\shell\open\command
HKEY_CLASSES_ROOT\Nero.NeroFileSystemDescContainer
HKEY_CLASSES_ROOT\Nero.NeroFileSystemDescContainer.1
HKEY_CLASSES_ROOT\Nero.NeroFileSystemTrackOptions
HKEY_CLASSES_ROOT\Nero.NeroFileSystemTrackOptions.1
HKEY_CLASSES_ROOT\NeroCDCoverType\shell\open\command
HKEY_CLASSES_ROOT\NeroSuperVideoType\shell\open\command
HKEY_CLASSES_ROOT\news\shell\open\command
HKEY_CLASSES_ROOT\nntp\shell\open\command
HKEY_CLASSES_ROOT\Office.ProfileSettings.10\shell\open\command
HKEY_CLASSES_ROOT\Office.ProfileSettings.10
HKEY_CLASSES_ROOT\ossfile\shell\open\command
HKEY_CLASSES_ROOT\Outlook.NavigatorBarFile\shell\open\command
HKEY_CLASSES_ROOT\Outlook.Template\shell\open\command
HKEY_CLASSES_ROOT\pcast\shell\open\command
HKEY_CLASSES_ROOT\PCDfile\shell\open\command
HKEY_CLASSES_ROOT\pcxfile\shell\open\command
HKEY_CLASSES_ROOT\PDVDmpgfile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.ActionsFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.ArbitraryMapFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.ASVColAdjFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.AXTAdjColFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.BrushesFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.CHAFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.ColorTableFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.CurvesFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.CustomFilterKernel\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.DuotoneSettingsFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.FileInfo\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.Gradients\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.HalftoneScreens\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.HueSatFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.Image.5\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.LevelsFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.MonitorSetupFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.PlugIn\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.PreferencesFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.PrintingInksFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.SepTablesFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.SwatchesFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.TransferFunctionsFile\shell\open\command
HKEY_CLASSES_ROOT\Photoshop.VariationsFile\shell\open\command
HKEY_CLASSES_ROOT\plsfile\shell\open\command
HKEY_CLASSES_ROOT\pngfile\shell\open\command
HKEY_CLASSES_ROOT\PowerPoint.Addin.8\shell\open\command
HKEY_CLASSES_ROOT\PowerPoint.Show.8\shell\open\command
HKEY_CLASSES_ROOT\PowerPoint.SlideShow.8\shell\open\command
HKEY_CLASSES_ROOT\PowerPoint.Template.8\shell\open\command
HKEY_CLASSES_ROOT\PowerPoint.Wizard.8\shell\open\command
HKEY_CLASSES_ROOT\powerpointhtmlfile\shell\open\command
HKEY_CLASSES_ROOT\powerpointhtmltemplate\shell\open\command
HKEY_CLASSES_ROOT\pszfile\shell\open\command
HKEY_CLASSES_ROOT\Publisher.Document.10\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.aac\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.adts\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.aif\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.aifc\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.aiff\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.caf\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.cdda\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.dif\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.dv\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.mac\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.mov\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.mp4\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.mqv\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.pct\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.pic\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.pict\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.pnt\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.pntg\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.qht\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.qhtm\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.qt\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.qti\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.qtif\shell\open\command
HKEY_CLASSES_ROOT\QuickTime.qtl\shell\open\command
HKEY_CLASSES_ROOT\Reason.rns\shell\open\command
HKEY_CLASSES_ROOT\Reason.rps\shell\open\command
HKEY_CLASSES_ROOT\Reason.rsb\shell\open\command
HKEY_CLASSES_ROOT\ROTSPrefs\shell\open\command
HKEY_CLASSES_ROOT\ROTSSavedGame\shell\open\command
HKEY_CLASSES_ROOT\rqyfile
HKEY_CLASSES_ROOT\rtffile\shell\open\command
HKEY_CLASSES_ROOT\SAFRCFileDlg.FileSave
HKEY_CLASSES_ROOT\SAFRCFileDlg.FileSave.1
HKEY_CLASSES_ROOT\SAPI.SpFileStream
HKEY_CLASSES_ROOT\SAPI.SpFileStream.1
HKEY_CLASSES_ROOT\Scripting.FileSystemObject
HKEY_CLASSES_ROOT\Shell.ThumbnailExtract.Docfile.1
HKEY_CLASSES_ROOT\sig2dat\shell\open\command
HKEY_CLASSES_ROOT\snews\shell\open\command
HKEY_CLASSES_ROOT\SoundRec\shell\open\command
HKEY_CLASSES_ROOT\SpybotSD.DisabledFile\shell\open\command
HKEY_CLASSES_ROOT\SpybotSD.SBEFile\shell\open\command
HKEY_CLASSES_ROOT\SpybotSD.SBIFile\shell\open\command
HKEY_CLASSES_ROOT\SpybotSD.SBSFile\shell\open\command
HKEY_CLASSES_ROOT\SpybotSD.TInfoFile\shell\open\command
HKEY_CLASSES_ROOT\SpybotSD.UTIFile\shell\open\command
HKEY_CLASSES_ROOT\SpybotSD.UTSFile\shell\open\command
HKEY_CLASSES_ROOT\T126_Whiteboard\shell\open\command
HKEY_CLASSES_ROOT\urn:content-classes:filestartaddress
HKEY_CLASSES_ROOT\vcard_wab_auto_file\shell\open\command
HKEY_CLASSES_ROOT\vobfile\shell\open\command
HKEY_CLASSES_ROOT\wab_auto_file\shell\open\command
HKEY_CLASSES_ROOT\WAXFile\shell\open\command
HKEY_CLASSES_ROOT\Whiteboard\shell\open\command
HKEY_CLASSES_ROOT\Windows.Movie.Maker\shell\open\command
HKEY_CLASSES_ROOT\WinRAR\shell\open\command
HKEY_CLASSES_ROOT\WinRAR.REV\shell\open\command
HKEY_CLASSES_ROOT\WinRAR.ZIP\shell\open\command
HKEY_CLASSES_ROOT\wmafile\shell\open\command
HKEY_CLASSES_ROOT\WMDFile\shell\open\command
HKEY_CLASSES_ROOT\WMP.DVR-MSFile\shell\open\command
HKEY_CLASSES_ROOT\WMSFile\shell\open\command
HKEY_CLASSES_ROOT\WMVFile\shell\open\command
HKEY_CLASSES_ROOT\WMZFile\shell\open\command
HKEY_CLASSES_ROOT\Word.Backup.8\shell\open\command
HKEY_CLASSES_ROOT\Word.Document.8\shell\open\command
HKEY_CLASSES_ROOT\Word.RTF.8\shell\open\command
HKEY_CLASSES_ROOT\Word.Template.8\shell\open\command
HKEY_CLASSES_ROOT\wordhtmlfile\shell\open\command
HKEY_CLASSES_ROOT\wordhtmltemplate\shell\open\command
HKEY_CLASSES_ROOT\Wordpad.Document.1\shell\open\command
HKEY_CLASSES_ROOT\WPLFile\shell\open\command
HKEY_CLASSES_ROOT\wrifile\shell\open\command
HKEY_CLASSES_ROOT\WVXFile\shell\open\command
HKEY_CLASSES_ROOT\x-internet-signup\shell\open\command
HKEY_CLASSES_ROOT\xbmfile\shell\open\command
HKEY_CLASSES_ROOT\xmlfile\shell\open\command
HKEY_CLASSES_ROOT\xnkfile\shell\open\command
HKEY_CLASSES_ROOT\xslfile\shell\open\command
HKEY_CLASSES_ROOT\Software\Sygate\UsingNetport


RegCleaner 4.3 by Jouni Vuorio

Author : Sygate
Software : UsingNetport
Age : New

If you choose to remove this item this key would be removed
HKEY_CLASSES_ROOT\Software\Sygate\UsingNetport

I hope this is enough information - and THANK YOU FOR YOUR HELP!
  • 0

Advertisements

#2
Daemon
Posted 21 July 2006 - 05:01 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin, follow the prompts. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load, this is normal.

At the end of the fix, you may need to restart your computer again. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O17 - HKLM\System\CCS\Services\Tcpip\..\{9F9ECF2E-A6CE-4AE1-9330-995C734EEBEA}: NameServer = 85.255.116.36,85.255.112.75
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.36 85.255.112.75
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.36 85.255.112.75
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.36 85.255.112.75

Exit HijackThis. Reboot and post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
  • 0

#3
destone
Posted 21 July 2006 - 11:53 AM

destone

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Daemon,

Thanks for your quick reply! I followed your instructions, and will post the 2 reports.

The results/changes so far are:

1) the CPU usage so far has not gone up to 100%

2) Windows Explorer is now able to open the "system 32" folder (but I didn't do anything in there, just checked)

3) the "Soundfont" and "Sygate" entries (as per #6 below) didn't show up in Regcleaner

4) the desktop changed from all red to all white, and is unaccessable

5) there still is that weird file in "Program Files" (as per #7 below) called "xerox" which I cannot delete as it is always running. I have no idea what it is.

6) I still cannot connect to the internet, so I am sending this once again via another computer

Logfile of HijackThis v1.99.1
Scan saved at 10:30:42 AM, on 7/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.vc.shawcable.net:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

and here is the report from Fixwareout:


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

サササササ Search by size and names...

サササササ Misc files

サササササ Checking for older varients covered by the Rem3 tool

サササササ
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
{7A99DE0F-BF66-4C77-B02E-5C61C2D1BB0E}.exe
{DB7BC339-9B2F-41FA-88BF-A5F6C309C5C3}.exe
{3EC2881C-F0ED-40FE-A1F9-C079CB6C9430}.exe


(sorry about the weird icons in the report - my wife's computer uses Japanese Windows, which sometimes changes things!)

THANKS AGAIN, DAEMON!

Edited by destone, 21 July 2006 - 11:57 AM.

  • 0

#4
Daemon
Posted 21 July 2006 - 12:04 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Click here to download System Security Suite. Extract it from the zip file into a folder.

Update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Do NOT run a scan yet. Exit the program.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Edited by Daemon, 21 July 2006 - 12:05 PM.

  • 0

#5
destone
Posted 22 July 2006 - 02:11 AM

destone

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Greetings!

I have done as you asked, and here is the logfile of Smitfraudfix:

SmitFraudFix v2.74

Scan done at 23:51:49.18, Fri 07/21/2006
Run from C:\Documents and Settings\SOUND\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SOUND\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SOUND\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINDOWS\\desktop.html"
"SubscribedURL"="C:\\WINDOWS\\desktop.html"
"FriendlyName"="Security"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

It only took a few seconds to run the Search option, so I hope it worked.
  • 0

#6
Daemon
Posted 22 July 2006 - 02:39 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Launch ewido again:
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system.
Now close ewido.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Open System Security Suite and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so.

Please post the new rapport.txt log along with a new HijackThis Log and the Ewido Log in your next reply.

Edited by Daemon, 22 July 2006 - 02:41 AM.

  • 0

#7
destone
Posted 23 July 2006 - 09:08 PM

destone

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
All instructions followed. Here are the 3 logs:

SmitFraudFix v2.74

Scan done at 12:52:23.43, Sun 07/23/2006
Run from C:\Documents and Settings\SOUND\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 8:06:06 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.vc.shawcable.net:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:48:25 AM, 7/23/2006
+ Report-Checksum: 970C1E3E

+ Scan result:

C:\Documents and Settings\SOUND\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\SOUND\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\SOUND\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\SOUND\Cookies\[email protected][2].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\SOUND\Cookies\sound@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\SOUND\Local Settings\Temporary Internet Files\Content.IE5\43ON01I3\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup


::Report End

It's getting better! I can now get online, I can now go to the properties for the desktop, the CPU is no longer pinned at 100% usage. I am worried about the folder called "xerox", which is in the C:\Program Files directory and which I cannot delete. This "xerox" file has a subfolder "nwwia", which also I cannot delete, even though it shows no files in that folder. If I do "control-alt-delete", it shows that "nwwia" is a process which is running.

Edited by destone, 23 July 2006 - 09:34 PM.

  • 0

#8
Daemon
Posted 24 July 2006 - 12:05 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Have a look at this thread:

http://discussions.h...ad.php?t=166143

It appears that it's benign.

Your log looks good - is everything running OK now?
  • 0

#9
destone
Posted 25 July 2006 - 01:07 AM

destone

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Daemon,

Well, most things are ok, but there is still a couple of problems:

1) the internet connection randomly goes off (sometimes for a few hours), and then suddenly gets connected again (without me doing anything). It is not my service provider because my wife's computer stays online (that is, no problems at all).

2) my AVG pops up a virus warning, usually a few times per hour, for the trojan horse CLICKER.FR
In the AVG Event History Log it says: Resident Shield reports Trojan horse CLICKER.FR on C:\System Volume Information\_restore{EE0A44E7-2F3A-443F-B98B-E8E4A11CE546}\RP15\A0010167.exe

Thanks again, I think we're almost there!
  • 0

#10
Daemon
Posted 25 July 2006 - 11:40 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
To resolve 2) do this:

1. Right-click My Computer>Click Properties>Click the System Restore tab>Check the box next to 'Turn off System Restore on all drives'>Click Apply>Click OK.

2. Reboot.

3. Repeat the process but this time remove the check from the box.

Resolving 1) without more information is quite difficult - are the computers networked?
  • 0

#11
Daemon
Posted 31 July 2006 - 11:02 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP