Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Log files to check


  • This topic is locked This topic is locked

#1
evanhamilton

evanhamilton

    New Member

  • Member
  • Pip
  • 5 posts
D/L'd HJT and here's the log file (per the other instructions)

Logfile of HijackThis v1.99.1
Scan saved at 2:05:42 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sumsw32.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Alibaba\TRADEM~1\TRADEM~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [TradeManager] C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager -hideframe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{398CA62D-53AE-40C9-8CE1-A134980B2DAD}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

Advertisements


#2
evanhamilton

evanhamilton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
SmitfraudFix logfile:

SmitFraudFix v2.105

Scan done at 14:21:07.07, Thu 10/05/2006
Run from C:\Documents and Settings\Evan Hamilton\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\susp.exe FOUND !
C:\WINDOWS\yod.htm FOUND !
C:\WINDOWS\ZServ.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\alxres.dll FOUND !
C:\WINDOWS\system32\bridge.dll FOUND !
C:\WINDOWS\system32\dailytoolbar.dll FOUND !
C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\lfd.dat FOUND !
C:\WINDOWS\system32\oiso.bin FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\runsrv32.exe FOUND !
C:\WINDOWS\system32\sumsw32.exe FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll FOUND !
C:\WINDOWS\system32\wstart.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Evan Hamilton


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Evan Hamilton\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\EVANHA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#3
evanhamilton

evanhamilton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
bump
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Evan and welcome to Geeks to Go

I am basing my instructions on what I can see in the logs. I am not sure why you have scanned with Smitfraudfix, but since it found malware we may as well continue. But before we do that, you do not appear to have any antivirus programme running on your PC; we must correct that immediately.

Please tell me if this PC has more than a single account in your reply.

Download:
AVG ANTIVIRUS FREE EDITION

Install AVG, update its virus definitions and perform a full system scan before proceeding any further.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

A. Please download the 30-day trial version of: AVG Anti Spyware
  • Please install, and update AVG Anti-Spyware/Ewido
  • Load AVGas/Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Close AVGas/Ewido. Do not run it yet.
B. Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

C. Open the SmitfraudFix Folder, (right click and choose Extract All) then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

D. Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

E. Close ALL open Windows / Programmes / Folders.
  • In Safe Mode, load AVGas/Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas/Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
Close AVGas/Ewido and Reboot in Normal Mode.
______________________________

F. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

G. Please post:
  • c:\rapport.txt
  • AVGas/Ewido log
  • A new HijackThis log (from normal mode).
You may need more than one reply to post the requested logs, otherwise they might get cut off.
  • 0

#5
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#6
evanhamilton

evanhamilton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I guess my thread got dumped, since I wasn't able to work on this computer for a few days.

Anyway, I printed the instructions A - G (AVG av, AVGas, safemode, smitfraudfix, Temp files, AVGas, and Smitfraud delete trusted zone)

So here are the logs. The computer "seems" to be working fine @ this point.

Logfile of HijackThis v1.99.1
Scan saved at 1:49:51 PM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common

Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.

exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product

Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) -

{00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) -

{11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) -

{150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) -

{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) -

{1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file)
O2 - BHO: (no name) -

{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) -

{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) -

{2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) -

{2e246fae-8420-11d9-870d-000c2917de7f} - (no file)
O2 - BHO: (no name) -

{2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) -

{746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) -

{87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) -

{8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) -

{a6f42cad-2559-48df-af30-89e480af5dfa} - (no file)
O2 - BHO: (no name) -

{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) -

{cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) -

{d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: ASGP32.ASGP -

{D8C60617-F121-4F41-984D-E841C057E55D} -

C:\WINDOWS\system32\asgp32.dll
O2 - BHO: (no name) -

{e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) -

{e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) -

{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) -

{e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) -

{e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) -

{fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) -

{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program

Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program

Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader]

"C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.

exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program

Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"

/minimized
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk =

C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk =

C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk

= C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft

Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O17 -

HKLM\System\CCS\Services\Tcpip\..\{398CA62D-53AE-40C

9-8CE1-A134980B2DAD}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: igfxcui -

C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon -

C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware

Development a.s. - C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt)

- GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) -

Intel® Corporation - C:\Program

Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program

Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SmartLinkService (SLService) - Smart

Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) -

Unknown owner -

C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

#7
evanhamilton

evanhamilton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here's the rest


Rapport:

SmitFraudFix v2.105

Scan done at 12:54:16.90, Thu 10/19/2006
Run from C:\Documents and Settings\Evan Hamilton\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End






SmitFraudFix v2.105

Scan done at 12:39:12.07, Thu 10/19/2006
Run from C:\Documents and Settings\Evan Hamilton\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\alxie328.dll Deleted
C:\WINDOWS\alxtb1.dll Deleted
C:\WINDOWS\BTGrab.dll Deleted
C:\WINDOWS\dlmax.dll Deleted
C:\WINDOWS\Pynix.dll Deleted
C:\WINDOWS\susp.exe Deleted
C:\WINDOWS\yod.htm Deleted
C:\WINDOWS\ZServ.dll Deleted
C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\alxres.dll Deleted
C:\WINDOWS\system32\bridge.dll Deleted
C:\WINDOWS\system32\dailytoolbar.dll Deleted
C:\WINDOWS\system32\jao.dll Deleted
C:\WINDOWS\system32\kernels64.exe Deleted
C:\WINDOWS\system32\lfd.dat Deleted
C:\WINDOWS\system32\msvol.tlb Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\oiso.bin Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\questmod.dll Deleted
C:\WINDOWS\system32\runsrv32.dll Deleted
C:\WINDOWS\system32\runsrv32.exe Deleted
C:\WINDOWS\system32\sumsw32.exe Deleted
C:\WINDOWS\system32\tcpservice2.exe Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\txfdb32.dll Deleted
C:\WINDOWS\system32\udpmod.dll Deleted
C:\WINDOWS\system32\vxgamet?.exe Deleted
C:\WINDOWS\system32\vxh8jkdq?.exe Deleted
C:\WINDOWS\system32\winmuse.exe Deleted
C:\WINDOWS\system32\wstart.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



AVGas log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:40:11 PM 10/19/2006

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7070A8F9-08A4-CA47-0AB0-1EB9E4EE1F3B} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{860c2f6b-ca82-4282-9187-beccbb66f0af} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2595f37-48d0-46a1-9b51-478591a97764} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fe2d25c1-c1db-4b5e-9390-af1cb5302f32} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5753791B-F607-48CA-814E-91C14D081F9E} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{860C2F6B-CA82-4282-9187-BECCBB66F0AF} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C5875B8-93F3-429D-FF34-660B206D897A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2595F37-48D0-46A1-9B51-478591A97764} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE2D25C1-C1DB-4B5E-9390-AF1CB5302F32} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028308.dll -> Adware.Minibug : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A7E6D97-B492-4884-9ABB-C31281DCC4F2} -> Adware.VipSearcher : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} -> Downloader.Delf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028306.exe -> Downloader.Small.cjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028296.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028307.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028299.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028300.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028301.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15ACE85C-0BB1-42d1-9E32-07EB0506675A} -> Downloader.Small.nl : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15ACE85C-0BB1-42D1-9E32-07EB0506675A} -> Downloader.Small.nl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028304.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028305.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028297.exe -> Downloader.VB.anw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028298.exe -> Downloader.VB.anw : Cleaned with backup (quarantined).
HKU\S-1-5-21-1060284298-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B212D577-05B7-4963-911E-4A8588160DFA} -> Trojan.Delf.nj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028302.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{13A4A984-E322-47EC-AB9F-054F2772AEF3}\RP261\A0028303.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


TIA if I need to do anything else. Will donate via paypal - you guys/girls are GREAT!!!
  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Evan

At this site you get stuck with the staff member that first helps you. It's just bad luck on your part that you got me.

Please note that your HijackThis log posted is scattered, and frankly they are difficult enough to read without the extra burden. Please ensure that your HJT logs are in single-spaced format:

To remove the double spacing in your log, please do the following:
  • Please go to Start >> Run... and type notepad.exe
  • Hit OK.
  • Now go to Format and uncheck WordWrap.
  • Close Notepad.
  • When posting use PREVIEW POST to check before clicking ADD REPLY
Please repost your HJt log from normal mode, and I'll take a look.
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP