Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan Generic2 Kicking My Buttocks

Started by paydaydoc , Oct 17 2006 05:17 AM

Please log in to reply

#1
paydaydoc

Posted 17 October 2006 - 05:17 AM

Member

Member
19 posts

How can I get rid of this thing?

Logfile of HijackThis v1.99.1
Scan saved at 3:56:48 PM, on 10/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\System32\kernels8.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lori Sims-Martinez\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...t...c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...t...c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...t...c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XBTP07994 - {78FF8577-D6CA-40b1-A0EB-4DD4D4082941} - C:\PROGRA~1\FREETR~1\SINGLE~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Free Traffic Bar by E-Business Tutor - {020B192B-60FC-4301-BFD4-9D86668D3FF8} - C:\Program Files\Free Traffic Bar by E-Business Tutor\singlebar.dll (file missing)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Advisor - {9CC2BCE3-96A9-4F2E-A6A4-2B45D93C2FA6} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: Yahoo! Literati - http://download2.gam...nts/y/tt4_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136589605718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136589591953
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

And here is the other stuff

Incident Status Location

Adware:Adware/Adsmart Not disinfected c:\windows\system32\kernels8.exe
Adware:adware/coolsavings Not disinfected Windows Registry
Adware:adware/spysheriff Not disinfected Windows Registry
Adware:adware/bravesentry Not disinfected Windows Registry
Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\Lori Sims-Martinez\Application Data\Install.dat
Dialer:Dialer.HRC Not disinfected C:\Documents and Settings\Lori Sims-Martinez\Local Settings\Temp\5.dlb
Adware:Adware/Adsmart Not disinfected C:\lo-1507609007.exe
Adware:Adware/Adsmart Not disinfected C:\t.inx
Adware:Adware/Adsmart

#2
Wizard

Posted 17 October 2006 - 06:11 AM

Retired Staff

Retired Staff
5,661 posts

Hi paydaydoc and Welcome to GeekstoGo!

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Restart normal and Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply along with smitfiles.txt

#3
paydaydoc

Posted 17 October 2006 - 11:29 AM

Member

Topic Starter
Member
19 posts

Hello!
Thank you for trying to help me with my Trojan issue. Here is the info you asked for:

Smitfiles:
smitRem © log file
version 3.2

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Tue 10/17/2006
The current time is: 11:40:42.65

Running from
C:\Documents and Settings\Lori Sims-Martinez\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

XP Firewall allowed access

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

checking for drsmartload2 key

drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

amcompat.tlb
kernels8.exe
nscompat.tlb

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 636 'explorer.exe'
Killing PID 636 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :whistling:

Combofix files:
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Lori Sims-Martinez\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Lori Sims-Martinez\Application Data\Install.dat
C:\WINDOWS\xpupdate.exe

((((((((((((((((((((((((((((((( Files Created from 2006-09-17 to 2006-10-17 ))))))))))))))))))))))))))))))))))

2006-10-17 06:04 18,040 --a------ C:\WINDOWS\system32\dlh9jkdq2.exe
2006-10-14 21:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-14 20:14 17 --a------ C:\WINDOWS\system32\dlh9jkdq8.exe
2006-10-14 20:13 7,426 --a------ C:\lo-1507609007.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-17 12:17 -------- d-------- C:\Program Files\BraveSentry
2006-10-16 13:57 -------- d-------- C:\Program Files\Microsoft Works
2006-10-16 13:55 -------- d-------- C:\Program Files\Lexmark X5100 Series
2006-10-16 13:55 -------- d-------- C:\Program Files\Internet Explorer
2006-10-15 19:40 -------- d-------- C:\Program Files\GetRight
2006-10-15 19:35 -------- d-------- C:\Program Files\Free Traffic Bar by E-Business Tutor
2006-10-14 21:02 -------- d-------- C:\Program Files\Grisoft
2006-10-06 23:38 -------- d-------- C:\Documents and Settings\Lori Sims-Martinez\Application Data\GetRightToGo
2006-09-26 10:25 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CARPService"="carpserv.exe"
"WCOLOREAL"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\StartEAK.exe"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"AutoLogon"=""
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\Compaq]
"SetRefresh"="C:\\PROGRA~1\\Compaq\\SETREF~1\\SetRefresh.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"Wallpaper"="C:\\WINDOWS\\desktop.html"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Registration reminder 1.job
C:\WINDOWS\tasks\Registration reminder 2.job
C:\WINDOWS\tasks\Registration reminder 3.job

Completion time: 06-10-17 12:22:20.45
C:\ComboFix.txt ... 06-10-17 12:22

#4
paydaydoc

Posted 17 October 2006 - 12:42 PM

Member

Topic Starter
Member
19 posts

Dear Cretemonster,
Just wanted to let you know what is up so far since I followed all your instructions.
#1. The little red circle with the X in it is no longer on my start bar
#2. AVG hasn't said I have a virus in over an hour now and I have been on the computer
#3. My internet settings seem to be back to when I first bought the computer 4 years ago
#4. Most everything I have downloaded since I got this puter pertaining to internet is completely gone (or seems that way so far)
#5. When the AVG kept telling me there were infections, it just gave me 6 different Trojan Generic2 files. With the last two things you made me do, it came up and said infections by "Spy Sheriff & Brave Sentry". I knew one was Brave Sentry, but I did not know the Spy Sheriff was one of them.
#6. My desk top is now all blue...LOL.

So, a few questions now....
#1 Does this mean it is fixed?
#2 Do I go ahead and get the Windows Update SP2? (I have seen that several folks are getting more of these viruses by downloading the updates, makes me nervous...this has costed me a ton of time. Wonder if I got them in an update, or can you tell where they came from?)

OOPS...I SPOKE TOO SOON...SPY SHERIFF IS STILL HERE!!!!

ok...not fixed yet.
What else can I do?

Sincerely,
Lori :whistling:

)

Edited by paydaydoc, 17 October 2006 - 12:56 PM.

#5
Wizard

Posted 17 October 2006 - 01:25 PM

Retired Staff

Retired Staff
5,661 posts

Yes,we still have some bugs to swat! :whistling:

Go ahead and Delete the smitrem program and we will use another fix for now to see whats left behind.

First lets get rid of smoe files.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\dlh9jkdq2.exe
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\lo-1507609007.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Select Delete on Reboot
then Click on the All Files button.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Edited by Cretemonster, 17 October 2006 - 01:26 PM.

#6
paydaydoc

Posted 17 October 2006 - 02:33 PM

Member

Topic Starter
Member
19 posts

Ok...after doing the Killbox, my desktop then turned white and it still popped up that I had the Spy Sheriff Virus.
WHen I did the Smitfraudfix, it game me only one screen that said:

Fichier Process.exe file absent!
Process.exe filing missing!

next?

#7
Wizard

Posted 17 October 2006 - 02:58 PM

Retired Staff

Retired Staff
5,661 posts

Delete that copy of SmitFraud Fix and Download a new one but dont unzip it yet!

Restart in Safe Mode--> Now Unzip the new SmitFraud Fix folder and run SmitFraud Fix in Safe Mode,please.

#8
paydaydoc

Posted 17 October 2006 - 05:34 PM

Member

Topic Starter
Member
19 posts

Ok...that worked better, and here it is:

SmitFraudFix v2.110

Scan done at 18:17:44.82, Tue 10/17/2006
Run from C:\Documents and Settings\Lori Sims-Martinez\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\desktop.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lori Sims-Martinez

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lori Sims-Martinez\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LORISI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\BraveSentry\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

I have to leave for a while so I will check back with you in about 3 hours. Thanks for your efforts, you will be rewarded!
Lori :whistling:

)

Edited by paydaydoc, 17 October 2006 - 05:35 PM.

#9
Wizard

Posted 18 October 2006 - 02:56 AM

Retired Staff

Retired Staff
5,661 posts

Glad it runs OK in Safe Mode! :whistling:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

After posting C:\rapport.txt,please scan fresh with Combo Fix and post that log.

#10
paydaydoc

Posted 18 October 2006 - 04:56 AM

Member

Topic Starter
Member
19 posts

Boy is this a long process...LOL. Just to let you know, I have to work today (12 hour shift) and won't be able to do anything further until this evening when I get home (since it is my desktop that is sick). I will keep up with your details and post around 8pm Central USA time tonight. Tahnks again soooo mcuh! For now, here is the latest you asked for:

Ok, here is Smit:

SmitFraudFix v2.110

Scan done at 5:41:28.59, Wed 10/18/2006
Run from C:\Documents and Settings\Lori Sims-Martinez\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\desktop.html Deleted
C:\Program Files\BraveSentry\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

And now Combo:

ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Lori Sims-Martinez\Desktop\Virus Help"

((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))

2006-10-14 21:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-16 13:57 -------- d-------- C:\Program Files\Microsoft Works
2006-10-16 13:55 -------- d-------- C:\Program Files\Lexmark X5100 Series
2006-10-16 13:55 -------- d-------- C:\Program Files\Internet Explorer
2006-10-15 19:40 -------- d-------- C:\Program Files\GetRight
2006-10-15 19:35 -------- d-------- C:\Program Files\Free Traffic Bar by E-Business Tutor
2006-10-14 21:02 -------- d-------- C:\Program Files\Grisoft
2006-10-06 23:38 -------- d-------- C:\Documents and Settings\Lori Sims-Martinez\Application Data\GetRightToGo
2006-09-26 10:25 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CARPService"="carpserv.exe"
"WCOLOREAL"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\StartEAK.exe"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"AutoLogon"=""
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\Compaq]
"SetRefresh"="C:\\PROGRA~1\\Compaq\\SETREF~1\\SetRefresh.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Registration reminder 1.job
C:\WINDOWS\tasks\Registration reminder 2.job
C:\WINDOWS\tasks\Registration reminder 3.job

Completion time: 06-10-18 5:47:48.28
C:\ComboFix.txt ... 06-10-18 05:47
C:\ComboFix2.txt ... 06-10-17 12:22

Ok...that's all I can do for now until I return home...See ya then!!

Lori :whistling:

)

#11
Wizard

Posted 18 October 2006 - 02:56 PM

Retired Staff

Retired Staff
5,661 posts

Looking good so far! :whistling:

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction on the F-Secure page for proper installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

#12
paydaydoc

Posted 19 October 2006 - 05:15 AM

Member

Topic Starter
Member
19 posts

Hello Cretemonster!
I did the F-Secure (twice actually) and here it is...darn things are hiding in my RESTORE!

Scanning Report
Thursday, October 19, 2006 05:24:34 - 06:08:02
Computer name: MARTINEZFAMILY
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\

--------------------------------------------------------------------------------

Result: 3 malware found
Trojan-Downloader.Win32.Tibs.if (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021363.EXE (Renamed & Submitted)
W32/Spywad.AUD (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021319.EXE (Submitted)
W32/Spywad.BSD (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021324.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 16053
System: 4142
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 2
Submitted: 3
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{85211E96-D810-4B3A-B54A-467C97FED6C4}.BIN
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021321.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021325.EXE
C:\DOCUMENTS AND SETTINGS\LORI SIMS-MARTINEZ\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DESKTOP.HTT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-10-18
F-Secure Libra: 2.4.1, 2006-10-18
F-Secure Orion: 1.2.37, 2006-10-18
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 0259-24-212
F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

I have to work again today so I'll be back in about 13 hours. Don't forget me!
Hey, I'm curious...would just reloading the entire computer to as if it were new outta the box be easier?
Will we be able to kill these bugs?
Could I get your email (and a name would be nice...feel kinda weird saying hello to a monster every day...LOL)

Sincerely,
Lori )

#13
Wizard

Posted 19 October 2006 - 02:34 PM

Retired Staff

Retired Staff
5,661 posts

I think we allready have the machine pretty much clean,Im just checking and re checking again until Im satisfied the PC is as Safe as I can get it.

System Restore will be fixed up in the last post,so dont worry about those entries.

Please Install these 2 to add to the Security of the PC

SpywareBlaster:
http://www.javacools.../downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#14
paydaydoc

Posted 20 October 2006 - 05:06 AM

Member

Topic Starter
Member
19 posts

Wow Crete! How do you keep up with helping everybody? I had to go to page 6 to even find myself...LOL.
Ok, here is the Kaspersky Report:

KASPERSKY ONLINE SCANNER REPORT
Friday, October 20, 2006 5:59:50 AM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/10/2006
Kaspersky Anti-Virus database records: 232990
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 33941
Number of viruses found: 3
Number of infected objects: 12 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:10:15

Infected Object Name / Virus Name / Last Action
C:\!KillBox\LO-1507609007.0XE Infected: Trojan-Downloader.Win32.Tibs.if skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Works\Portfolio\Collection 1.wsb Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori Sims-Martinez\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\Lori Sims-Martinez\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\Lori Sims-Martinez\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lori Sims-Martinez\Desktop\Virus Help\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Lori Sims-Martinez\Desktop\Virus Help\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Lori Sims-Martinez\Desktop\Virus Help\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Lori Sims-Martinez\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lori Sims-Martinez\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori Sims-Martinez\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lori Sims-Martinez\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lori Sims-Martinez\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lori Sims-Martinez\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP238\A0021276.0XE Infected: Trojan-Downloader.Win32.Tibs.if skipped
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP238\A0021300.0XE Infected: Trojan-Downloader.Win32.Tibs.if skipped
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021321.dll Object is locked skipped
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021322.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.h skipped
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021323.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.h skipped
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021324.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.h skipped
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021325.exe Object is locked skipped
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP239\A0021363.0XE Infected: Trojan-Downloader.Win32.Tibs.if skipped
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP240\change.log Object is locked skipped
C:\t.inx Infected: Trojan-Downloader.Win32.Tibs.if skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{AC4B2E47-4D13-4AE4-A726-B07ECD359C58}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\slx.exes Infected: Trojan-Downloader.Win32.Tibs.if skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

There you go. I work again today for 12 hours so I'll look back here tonight. I am off for the weekend. If you are available, maybe we can nip this in the bud? Let me know so I can check on here often. I just want you to know that you are very nice with your instructions. You have a very mild manner and I appreciate that!

See ya tonight!
Lori :whistling:

#15
Wizard

Posted 20 October 2006 - 02:36 PM

Retired Staff

Retired Staff
5,661 posts

Lets get rid of these straglers.

Use Killbox again--> Delete on Reboot and delete the files listed below

C:\t.inx
C:\WINDOWS\system32\slx.exes

Restart Normal and manually delete this folder C:\!KillBox and empty the Recycle Bin.

You can get rid of any tools we used during the cleaning process.

Is the machine still acting OK?