Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I tried to remove SpySheriff but Panda Active Scan still found somethi

Started by Denische , Sep 24 2006 05:48 PM

  • Please log in to reply

#1
Denische
Posted 24 September 2006 - 05:48 PM

Denische

    Member

  • Member
  • PipPip
  • 19 posts
Panda Active Scan Report;

Incident Status Location

Adware:adware/intcodec Not disinfected Windows Registry
Adware:adware/ieloader Not disinfected Windows Registry
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF69DF00-2734-477F-8257-27CD04F88779}
Adware:adware/systemdoctor Not disinfected Windows Registry
Dialer:dialer.min Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB893839-10F0-4AF9-92FA-B23528F530AF}
Adware:adware/spywaresheriff Not disinfected Windows Registry
Adware:adware/adrotator Not disinfected Windows Registry
Adware:adware/netword Not disinfected Windows Registry
Adware:adware/wetoffice Not disinfected Windows Registry
Adware:adware/spywaresoftstop Not disinfected Windows Registry
Virus:trj/downloader.imy Disinfected Operating system
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Denise\Cookies\denise@atwola[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Denise\Cookies\denise@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Denise\Cookies\denise@cgi-bin[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Denise\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Denise\Cookies\denise@go[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Denise\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:54:53 PM 9/24/2006

+ Scan result:



C:\WINDOWS\xpupdate.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).


::Report end



Any other suggestions......

Thanks,

Denise
  • 0

Advertisements

#2
Wizard
Posted 24 September 2006 - 06:28 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Denische and Welcome to GeekstoGo!

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#3
Denische
Posted 24 September 2006 - 06:35 PM

Denische

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
SmitFraudFix v2.99

Scan done at 20:33:13.71, Sun 09/24/2006
Run from C:\Documents and Settings\Denise\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Denise\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Denise\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="\\\\?\\C:\\WINDOWS\\system32\\lpt6.tuj"


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
Wizard
Posted 24 September 2006 - 06:41 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
  • 0

#5
Denische
Posted 24 September 2006 - 07:01 PM

Denische

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
SmitFraudFix v2.99

Scan done at 20:52:31.68, Sun 09/24/2006
Run from C:\Documents and Settings\Denise\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




It still seems to be really slow.....
  • 0

#6
Wizard
Posted 24 September 2006 - 07:10 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I sent you a Private Message to sorta warn you there was more than just general malware involved,didnt wanna alarm ya.


Lets try the Grozmon Removal Tool and see how it does.
http://www.prevx.com/gromozon.asp


Launch the program and click scan, when it locates the infection,it will tell you its going to reboot the machine and remove the infection.

Let the machine restart and wait for the tool to finish.

A log will be generated on the C:\ drive,please post the contents of that log in the next reply.
  • 0

#7
Denische
Posted 24 September 2006 - 07:12 PM

Denische

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
The page cannot be displayed for that link.
  • 0

#8
Wizard
Posted 24 September 2006 - 07:17 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Here have mine! :whistling:

Attached to the post.

Attached Files


  • 0

#9
Denische
Posted 24 September 2006 - 07:21 PM

Denische

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Nothing seems to happen. I double clicked on it and I also extracted....it goes as far as asking me to run it and whe I click "run" nothing seems to happen.
  • 0

#10
Wizard
Posted 24 September 2006 - 07:33 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
The rootkit must be using some form of task kill to prevent the tool from running,along with what appears to be a Hosts File modification that prevents your browser from reaching the site itself.

Let me talk a little more with you in private and see if we can sort this thing out.
  • 0

Advertisements

#11
Denische
Posted 24 September 2006 - 08:49 PM

Denische

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:36:36 PM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\Regedit.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Denise\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6F14EEF1-8C96-6D0A-616B-C07E3C5990B5} - C:\WINDOWS\mpiou1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
  • 0

#12
Denische
Posted 24 September 2006 - 08:50 PM

Denische

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\Desktop\HijackThis.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\hijackthis.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\HJTsetup.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\office2003ISO.zip : SummaryInformation (88 bytes)
C:\Documents and Settings\Denise\Desktop\office2003ISO.zip : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
C:\Documents and Settings\Denise\Desktop\prevxremovaltool.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\dumphive.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\GenericRenosFix.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\Process.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\Reboot.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\restart.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\SmitfraudFix.cmd : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\SmiUpdate.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\SrchSTS.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\swreg.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\swsc.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Desktop\SmitfraudFix\unzip.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\3VTBJHCW\Ed%20Winnipeg-%20August%209[1].xls : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\3VTBJHCW\Ed%20Winnipeg-%20August%209[2].xls : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\8XUR4HEN\iPodSetup[1].exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\8XUR4HEN\iPodSetup[2].exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\8XUR4HEN\iTunesSetup[1].exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\8XUR4HEN\iTunesSetup[2].exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\8XUR4HEN\Milano_Meeting_7_20[1].doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\8XUR4HEN\TRAVEL_FOR_LESS[1].doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\D4OJLLKL\iPodder21Setup[2].exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\D4OJLLKL\prevxremovaltool[1].zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\QTZ8LGV6\ewido-setup_4.0.0.172c[1].exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\QTZ8LGV6\FCUK-MayTVx2[1].xls : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\My Documents\101MSDCF\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\David\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\fin_teaser_dart.mpeg : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Black Eyed Peas\Monkey Business\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Black Eyed Peas\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Bon Jovi\One Wild Night- Live 1985-2001\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Bon Jovi\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Coldplay\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Coldplay\X&Y\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Despina Vandi\Come Along Now\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Despina Vandi\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Dido\Life for Rent\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Dido\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Duran Duran\Astronaut\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Duran Duran\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Eminem\Encore Disc 1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Eminem\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Interpol\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\iTunes\iTunes Music\Andrea Bocelli\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\iTunes\Michael Bublé\It's Time\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\iTunes\Michael Bublé\Michael Bublé\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\iTunes\Michael Bublé\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Jann Arden\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Josh Groban\Closer\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Josh Groban\Josh Groban\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Josh Groban\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Kelly Clarkson\Breakaway\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Kelly Clarkson\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Maroon 5\Songs About Jane\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Maroon 5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\New Order\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\New Order\Waiting for the Sirens' Call\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Norah Jones\Come Away With Me\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Norah Jones\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Original Broadway Cast\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Robbie Williams\Greatest Hits [UK]\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Robbie Williams\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\The Killers\Hot Fuss\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\The Killers\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Usher\Confessions\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Usher\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Various Artists\Freestyle's Greatest Collection Disc 1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Various Artists\Freestyle's Greatest Collection Disc 3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Various Artists\Freestyle's Greatest Collection Disc 4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Various Artists\Freestyle's Greatest Hits, Vol. 2 [SPG]\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Music\Various Artists\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\101MSDCF\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\2005_06_18\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Andrew V\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\AvaDavid\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\CCCP WIN\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Christmas 05\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\denise\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\denisewedding\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Direct Las Vegas Convention\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Dylan Wedding\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Ferrari\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Invite\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Maria's Stag\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\montreal\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\My Logitech Pictures\Pictures and Videos\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\New Years\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Pic's\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Ski Weekend\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Tom\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\TOm & Anna\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Vegas Baby\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Vegas Engag\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Wedding Maria & Vegas\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Pictures\Winston\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Denise\My Documents\My Received Files\DSC00674.JPG : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\My Documents\My Received Files\Greece0181 copy.jpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\Denise\My Documents\Sign Junkies\Thumbs.db : encryptable (0 bytes)
C:\Program Files\BitComet\Torrents\Green Day - American Idiot - Album 2004 Full.torrent : Zone.Identifier (26 bytes)
  • 0

#13
Denische
Posted 25 September 2006 - 04:34 PM

Denische

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
SmitFraudFix v2.99

Scan done at 18:27:27.78, Mon 09/25/2006
Run from C:\Documents and Settings\Denise\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Denise\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Denise\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
  • 0

#14
Denische
Posted 25 September 2006 - 04:35 PM

Denische

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:35:35 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Denise\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {E53E45CA-24EB-3161-DEA6-EB7D1353F6DC} - C:\WINDOWS\mpiou1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
  • 0

#15
Wizard
Posted 25 September 2006 - 04:49 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
How did you like that ride?

Wasnt it wonderful,dont you wanna do this atleast once a week? :whistling:


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {E53E45CA-24EB-3161-DEA6-EB7D1353F6DC} - C:\WINDOWS\mpiou1.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Run Option 2 of the SmitFraud Fix again just as you did before,allow it to Fix the registry and clear the temp files.

Download Bobbi Flekman's RegSearch to your Desktop
http://www.bleepingc...s/regsearch.php

Double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

E53E45CA-24EB-3161-DEA6-EB7D1353F6DC

mpiou1.dll

lpt6.tuj

Hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.

Post the results of the Reg Search in the next reply please.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP