Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Programs start on their own or switch to desktop


  • Please log in to reply

#1
2latinaz

2latinaz

    New Member

  • Member
  • Pip
  • 6 posts
Im new and i dont really know where to start. up until today my computer was running correctly. i downloaded what i thought was a DVD viewing program but turned out to be a virus. it installed a bunch of strange things onto my computer. i looked at the "add/remove" list and i saw that some new things were added. theres something that says "USB MassStorage CardReader" and when i try to uninstall it, the coputer pauses for a few secs and doesnt uninstall the program. i ran spybot and ad-aware and they removed a bunch of things each time. when i am playing a computer game or watching a dvd i hear a little computer sounding beep and im brought back onto my desktop. sometimes, i find that programs start on their own. i have tried to do the system restore but it keeps saying that it cant do it. i guess my computer isnt as bad as it was earlier today (becuz i managed to remove some things) but its still annoying. i dont know if this matters but another program that was installed was Tagasaurus. and lastly the last 2 programs on the list that i dont remember being there are "easy web print" and "soft data fax modem with smart cp"

:whistling: i really need help and would love to get some assistance!

I also just got a really strange pop up it read:
NOTICE: Your computer has tracks of all the adult sites you had visited. In most cases, your are not even aware of the files that get installed by themselves, violate your online privacy and could compromise you career and your marriage. These files leave tracks of your online behavior and even compromise your credit card's security. it is possible to clean up all the temporary and history records of your computer to removed these tracks. Would you like to install DriveCleaner to check your computer for free? (Recommended)

Edited by 2latinaz, 10 November 2006 - 11:22 PM.

  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
2latinaz

2latinaz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:24:47 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh....ex.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh....ex.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh....ex.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TP&M=GT4016
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TP&M=GT4016
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hxjekok.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {666E4D35-E955-11D0-A707-000000521958} - http://ads.dropspam....aaf/upgrade.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Very good :whistling:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#5
2latinaz

2latinaz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Owner - 06-11-11 0:51:09.60 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dxclib303562752.dll
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\nwnmff_e54.exe
C:\Documents and Settings\Owner\setup9X.exe
C:\WINDOWS\system32\wnsintsv.exe
C:\Program Files\Windows NT\kyzesehu.html
C:\Program Files\Common Files\howy.html
C:\Program Files\outlook

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\STEM32~1
C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\CURITY~1\winspool.exe
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-501.0000
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-501.0001
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-501.0002
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0000
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0001
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0002
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0003
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0004
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0005


((((((((((((((((((((((((((((((( Files Created from 2006-10-11 to 2006-11-11 ))))))))))))))))))))))))))))))))))


2006-11-10 14:27 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2006-11-10 14:27 198,144 --a------ C:\WINDOWS\system32\_psisdecd.dll
2006-11-10 14:27 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2006-11-10 12:47 204 --a------ C:\Documents and Settings\Owner\jdkfjdskfjkdsjf.bat
2006-11-10 12:46 32,768 --a------ C:\Documents and Settings\Owner\install.exe
2006-11-10 12:46 24,576 --a------ C:\Documents and Settings\Owner\dr.exe
2006-11-10 12:44 997,376 -r-hs---- C:\WINDOWS\zdlilbrA.exe
2006-11-10 12:44 69,632 --a------ C:\WINDOWS\system32\pgedlpnc.dll
2006-11-10 12:44 55,808 --a------ C:\WINDOWS\zdlilbr.exe
2006-11-10 12:44 204 --a------ C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
2006-11-10 12:44 20,480 --a------ C:\mc44a54.exe
2006-11-10 12:44 2,560 --a------ C:\ac3_0003.exe
2006-11-10 12:44 178,306 --a------ C:\WINDOWS\ac3_0008.exe
2006-11-10 12:44 1,284 --a------ C:\WINDOWS\system32\bere5ce3.sys
2006-11-10 12:43 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-10 12:43 45,056 --a------ C:\WINDOWS\system32nrnqetwbz.exe
2006-11-10 12:43 45,056 --a------ C:\mpnaaq7.exe
2006-11-10 12:43 356,352 --a------ C:\162.exe
2006-11-10 12:43 323,072 --a------ C:\165.exe
2006-11-10 12:43 32,768 --a------ C:\WINDOWS\system32\setup9X.exe
2006-11-10 12:43 32,768 --a------ C:\WINDOWS\system32\install.exe
2006-11-10 12:43 28,672 --a------ C:\WINDOWS\system32hlvi6wkjc.exe
2006-11-10 12:43 28,672 --a------ C:\WINDOWS\system32\hlvi6wkjc.exe
2006-11-10 12:43 266,240 --a------ C:\yz02.exe
2006-11-10 12:43 24,576 --a------ C:\WINDOWS\system32\ysjaevwx.exe
2006-11-10 12:43 24,576 --a------ C:\WINDOWS\system32\dr.exe
2006-11-10 12:43 217,276 --a------ C:\WINDOWS\srvittac.exe
2006-11-10 12:43 20,480 --a------ C:\WINDOWS\stub_mm3.exe
2006-11-10 12:43 167,936 --a------ C:\WINDOWS\ms05769188-1401.exe
2006-11-10 12:43 0 --a------ C:\WINDOWS\system32ysjaevwx.exe
2006-11-05 18:49 10 --a------ C:\WINDOWS\smdat32m.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-11 00:51 -------- d-------- C:\Program Files\Windows NT
2006-11-11 00:51 -------- d-------- C:\Program Files\Common Files
2006-11-11 00:50 2614 --a------ C:\Documents and Settings\Owner\Application Data\.googlewebacchosts
2006-11-11 00:50 -------- d-------- C:\Program Files\WinRAR
2006-11-11 00:49 -------- d-------- C:\Program Files\Messenger
2006-11-11 00:48 -------- d-------- C:\Program Files\Internet Explorer
2006-11-11 00:44 -------- d-------- C:\Program Files\AIM
2006-11-11 00:24 -------- d-------- C:\Program Files\Hijackthis
2006-11-10 23:43 -------- d-------- C:\Program Files\CONEXANT
2006-11-10 23:42 -------- d-------- C:\Program Files\ArtisanDVDPlayer
2006-11-10 14:27 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-10 14:27 -------- d-------- C:\Program Files\CyberLink
2006-11-10 14:03 -------- d-------- C:\Program Files\Windows Plus
2006-11-10 13:58 -------- d-------- C:\Program Files\Morpheus
2006-11-10 13:56 -------- d-------- C:\Program Files\Lavasoft
2006-11-10 13:56 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-11-10 13:48 -------- d-------- C:\Program Files\DivX
2006-11-10 12:44 93664 --ahs---- C:\Program Files\Common Files\Y1324OU.exe
2006-11-10 12:33 -------- d-------- C:\Program Files\SimPE
2006-11-10 12:32 -------- d-------- C:\Program Files\InterActual
2006-11-09 13:37 -------- d-------- C:\Program Files\Google
2006-11-07 21:43 -------- d-------- C:\Program Files\NCH Swift Sound
2006-11-07 21:43 -------- d-------- C:\Documents and Settings\Owner\Application Data\RecordPad
2006-11-07 21:43 -------- d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2006-11-05 21:55 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-05 18:55 -------- d-------- C:\Program Files\iMesh Applications
2006-11-05 18:53 -------- d-------- C:\Program Files\RXToolBar
2006-11-05 18:49 -------- d-------- C:\Program Files\Need2Find
2006-11-05 16:20 -------- d-------- C:\Program Files\DVD Shrink
2006-11-03 10:35 -------- d-------- C:\Program Files\AOL
2006-11-03 10:35 -------- d-------- C:\Program Files\AOD
2006-11-03 10:34 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-19 17:15 -------- d-------- C:\Program Files\EA GAMES
2006-10-12 12:11 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-07 21:34 -------- d-------- C:\Documents and Settings\Owner\Application Data\DivX
2006-10-07 21:19 -------- d-------- C:\Program Files\WMV9_VCM
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 14:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 14:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-15 16:21 53248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 16:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a--c--- C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a--c--- C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"PCMService"="\"C:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows NT\\kyzesehu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 2.job

Completion time: 06-11-11 0:53:33.75
C:\ComboFix.txt ... 06-11-11 00:53
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
click >>start>>control panel >>add/remove programs and uninstall the following if present:
RXToolBar
Need2Find




Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\system32\_psisdecd.dll
    C:\WINDOWS\system32\gdiplus.dll
    C:\Documents and Settings\Owner\jdkfjdskfjkdsjf.bat
    C:\Documents and Settings\Owner\install.exe
    C:\Documents and Settings\Owner\dr.exe
    C:\WINDOWS\zdlilbrA.exe
    C:\WINDOWS\system32\pgedlpnc.dll
    C:\WINDOWS\zdlilbr.exe
    C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
    C:\mc44a54.exe
    C:\ac3_0003.exe
    C:\WINDOWS\ac3_0008.exe
    C:\WINDOWS\system32\bere5ce3.sys
    C:\WINDOWS\system32\sporder.dll
    C:\WINDOWS\system32nrnqetwbz.exe
    C:\mpnaaq7.exe
    C:\162.exe
    C:\165.exe
    C:\WINDOWS\system32\setup9X.exe
    C:\WINDOWS\system32\install.exe
    C:\WINDOWS\system32hlvi6wkjc.exe
    C:\WINDOWS\system32\hlvi6wkjc.exe
    C:\yz02.exe
    C:\WINDOWS\system32\ysjaevwx.exe
    C:\WINDOWS\system32\dr.exe
    C:\WINDOWS\srvittac.exe
    C:\WINDOWS\stub_mm3.exe
    C:\WINDOWS\ms05769188-1401.exe
    C:\WINDOWS\system32ysjaevwx.exe
    C:\WINDOWS\smdat32m.sys
    C:\Program Files\Common Files\Y1324OU.exe
    C:\Program Files\RXToolBar
    C:\Program Files\Need2Find





  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Please rerun combofix and post the resulting log with a new Hijack log

Thanks :whistling:
  • 0

#7
2latinaz

2latinaz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Owner - 06-11-11 1:21:23.32 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\STEM32~1
C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\CURITY~1\winspool.exe
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-501.0000
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-501.0001
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-501.0002
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0000
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0001
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0002
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0003
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0004
C:\QooBox\Purity\WINDOWS\CURITY~1\??curity\ctxad-503.0005


((((((((((((((((((((((((((((((( Files Created from 2006-10-11 to 2006-11-11 ))))))))))))))))))))))))))))))))))


2006-11-10 14:27 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-11 01:18 -------- d-------- C:\Program Files\Common Files
2006-11-11 01:17 2582 --a------ C:\Documents and Settings\Owner\Application Data\.googlewebacchosts
2006-11-11 00:51 -------- d-------- C:\Program Files\Windows NT
2006-11-11 00:50 -------- d-------- C:\Program Files\WinRAR
2006-11-11 00:49 -------- d-------- C:\Program Files\Messenger
2006-11-11 00:48 -------- d-------- C:\Program Files\Internet Explorer
2006-11-11 00:44 -------- d-------- C:\Program Files\AIM
2006-11-11 00:24 -------- d-------- C:\Program Files\Hijackthis
2006-11-10 23:43 -------- d-------- C:\Program Files\CONEXANT
2006-11-10 23:42 -------- d-------- C:\Program Files\ArtisanDVDPlayer
2006-11-10 14:27 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-10 14:27 -------- d-------- C:\Program Files\CyberLink
2006-11-10 14:03 -------- d-------- C:\Program Files\Windows Plus
2006-11-10 13:58 -------- d-------- C:\Program Files\Morpheus
2006-11-10 13:56 -------- d-------- C:\Program Files\Lavasoft
2006-11-10 13:56 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-11-10 13:48 -------- d-------- C:\Program Files\DivX
2006-11-10 12:33 -------- d-------- C:\Program Files\SimPE
2006-11-10 12:32 -------- d-------- C:\Program Files\InterActual
2006-11-09 13:37 -------- d-------- C:\Program Files\Google
2006-11-07 21:43 -------- d-------- C:\Program Files\NCH Swift Sound
2006-11-07 21:43 -------- d-------- C:\Documents and Settings\Owner\Application Data\RecordPad
2006-11-07 21:43 -------- d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2006-11-05 21:55 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-05 18:55 -------- d-------- C:\Program Files\iMesh Applications
2006-11-05 18:53 -------- d-------- C:\Program Files\RXToolBar
2006-11-05 18:49 -------- d-------- C:\Program Files\Need2Find
2006-11-05 16:20 -------- d-------- C:\Program Files\DVD Shrink
2006-11-03 10:35 -------- d-------- C:\Program Files\AOL
2006-11-03 10:35 -------- d-------- C:\Program Files\AOD
2006-11-03 10:34 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-19 17:15 -------- d-------- C:\Program Files\EA GAMES
2006-10-12 12:11 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-07 21:34 -------- d-------- C:\Documents and Settings\Owner\Application Data\DivX
2006-10-07 21:19 -------- d-------- C:\Program Files\WMV9_VCM
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 14:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 14:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-15 16:21 53248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 16:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a--c--- C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a--c--- C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"PCMService"="\"C:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows NT\\kyzesehu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 2.job

Completion time: 06-11-11 1:21:52.67
C:\ComboFix.txt ... 06-11-11 01:21
C:\ComboFix2.txt ... 06-11-11 00:53
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Good :whistling:

Lets run a quick check for another

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#9
2latinaz

2latinaz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
SmitFraudFix v2.120

Scan done at 1:36:39.34, Sat 11/11/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\keyboard1.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Windows NT\\kyzesehu.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Common Files\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Run Smitfraud Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

Clean out your Temporary Internet files. Proceed as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

Reboot

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply as well as a new Hijack log
  • 0

#11
2latinaz

2latinaz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
SmitFraudFix v2.120

Scan done at 20:11:51.89, Sat 11/11/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\keyboard1.dat Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End







Logfile of HijackThis v1.99.1
Scan saved at 8:19:14 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh....ex.html?src=ssb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hxjekok.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {666E4D35-E955-11D0-A707-000000521958} - http://ads.dropspam....aaf/upgrade.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Please run a scan with HijackThis and check the following lines for removal:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hxjekok.exe

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP