Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Slow Computer/Blue Screen


  • Please log in to reply

#1
stephyny

stephyny

    New Member

  • Member
  • Pip
  • 6 posts
And this is my first time here, so please don't destroy me if I post in the wrong spot. :)


Logfile of HijackThis v1.99.1
Scan saved at 10:48:26 AM, on 3/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: cdromdrv32.shell_plugin - {0D708714-CF29-488B-98BE-24D1B96230AA} - C:\WINDOWS\System32\cdromdrv32.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171162857960
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1171162815398
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
  • 0

Advertisements


#2
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi stephyny

Welcome to GTG! :whistling:


Please do the following:

* Download Rustbfix from Here or Here.
  • Save the rustbfix file to your desktop.
  • Restart your computer into safe mode if necessary. (See Notes below)
  • Double click on rustbfix.exe to run the tool.
  • If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
  • The reboot may take quite a while, and 2 reboots may be needed, but this will happen automatically.
  • After the reboot 2 logs will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). (See Notes below)
  • Post the content of these logfiles along with a new HijackThis log in your next reply to this thread.
Notes: %root% will probably be your C:\ drive.
Click here for info on how to boot to safe mode if you don't already know how.


* Post an uninstall list for me using the HijackThis Uninstall Manager:
  • Open HijackThis and click on the Open the Misc Tools section button.
  • Click on the Open Uninstall Manager button.
  • Click the Save List button.
  • After you click the "Save List" button, you will be asked where to save the file.
  • Pick a place to save it then the list should open in notepad.
  • Copy and paste that list in your next reply to this thread.
* Click here to download SmitfraudFix.zip and save it to your desktop.
  • Unzip (extract) the contents of SmitfraudFix.zip to a new SmitfraudFix folder on your desktop.
  • Open the SmitfraudFix folder and double-click the smitfraudfix.cmd file.
  • Select option #1 - Search by typing 1 and press "Enter"
  • A text file will appear, which lists the infected files that it finds, if any.
  • Copy and paste the contents of that report into your next reply to this thread.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Come back to this thread and post the following logs:

The log from the rustbfix
The Uninstall list
The Smitfraudfix log

  • 0

#3
stephyny

stephyny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay, here goes :whistling: Have no idea what I'm doing, just obeying dutifully :blink:

Thank you!

by the way, when I went to restart out of safemode both times it said the program Sample was not responding and to end it now. Don't know if that means anything. Also, before doing this I ran Spyware doctor and it found the following. If it means nothing, forgive the space on the page. Spyware Doctor says it was removed afterwards.

Trojan.Downloader.CashDeluxe C:\WINDOWS\System32\cdromdrv32.dll Elevated
Trojan.Downloader.CashDeluxe C:\WINDOWS\system32\cwklgqvx.exe Elevated
Trojan.Downloader.CashDeluxe C:\WINDOWS\System32\user_32.dll Elevated
Trojan.Downloader.CashDeluxe HKCR\a_inc_module.class1 Elevated
Trojan.Downloader.CashDeluxe HKCR\a_inc_module.class1## Elevated
Trojan.Downloader.CashDeluxe HKCR\a_inc_module.class1\Clsid Elevated
Trojan.Downloader.CashDeluxe HKCR\a_inc_module.class1\Clsid## Elevated
Trojan.Downloader.CashDeluxe HKCR\cdromdrv32.shell_plugin Elevated
Trojan.Downloader.CashDeluxe HKCR\cdromdrv32.shell_plugin## Elevated
Trojan.Downloader.CashDeluxe HKCR\cdromdrv32.shell_plugin\Clsid Elevated
Trojan.Downloader.CashDeluxe HKCR\cdromdrv32.shell_plugin\Clsid## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA} Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Implemented Categories Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Implemented Categories## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\InprocServer32 Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\InprocServer32## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\InprocServer32##ThreadingModel Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\ProgID Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\ProgID## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Programmable Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Programmable## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\TypeLib Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\TypeLib## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\VERSION Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\VERSION## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C} Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Implemented Categories Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Implemented Categories## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\InprocServer32 Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\InprocServer32## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\InprocServer32##ThreadingModel Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\ProgID Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\ProgID## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Programmable Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Programmable## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\TypeLib Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\TypeLib## Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\VERSION Elevated
Trojan.Downloader.CashDeluxe HKCR\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\VERSION## Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{61391E50-5236-494A-BAE2-282F6C520C65} Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{61391E50-5236-494A-BAE2-282F6C520C65}## Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{61391E50-5236-494A-BAE2-282F6C520C65}\ProxyStubClsid Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{61391E50-5236-494A-BAE2-282F6C520C65}\ProxyStubClsid## Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{61391E50-5236-494A-BAE2-282F6C520C65}\ProxyStubClsid32 Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{61391E50-5236-494A-BAE2-282F6C520C65}\ProxyStubClsid32## Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{61391E50-5236-494A-BAE2-282F6C520C65}\TypeLib Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{61391E50-5236-494A-BAE2-282F6C520C65}\TypeLib## Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{61391E50-5236-494A-BAE2-282F6C520C65}\TypeLib##Version Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{8144C535-F34D-47BC-9013-A7C05AA8F12C} Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{8144C535-F34D-47BC-9013-A7C05AA8F12C}## Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{8144C535-F34D-47BC-9013-A7C05AA8F12C}\ProxyStubClsid Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{8144C535-F34D-47BC-9013-A7C05AA8F12C}\ProxyStubClsid## Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{8144C535-F34D-47BC-9013-A7C05AA8F12C}\ProxyStubClsid32 Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{8144C535-F34D-47BC-9013-A7C05AA8F12C}\ProxyStubClsid32## Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{8144C535-F34D-47BC-9013-A7C05AA8F12C}\TypeLib Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{8144C535-F34D-47BC-9013-A7C05AA8F12C}\TypeLib## Elevated
Trojan.Downloader.CashDeluxe HKCR\Interface\{8144C535-F34D-47BC-9013-A7C05AA8F12C}\TypeLib##Version Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E} Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0 Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0 Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0\win32 Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0\win32## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0\FLAGS Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0\FLAGS## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0\HELPDIR Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{6AB0337F-F523-4073-AFBF-0947B331955E}\1.0\HELPDIR## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB} Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0 Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0 Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0\win32 Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0\win32## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0\FLAGS Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0\FLAGS## Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0\HELPDIR Elevated
Trojan.Downloader.CashDeluxe HKCR\TypeLib\{9A0673DB-7BD7-43D6-8FA2-C93FE0B996EB}\1.0\HELPDIR## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA} Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Implemented Categories Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Implemented Categories## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\InprocServer32 Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\InprocServer32## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\InprocServer32##ThreadingModel Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\ProgID Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\ProgID## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Programmable Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\Programmable## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\TypeLib Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\TypeLib## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\VERSION Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{0D708714-CF29-488B-98BE-24D1B96230AA}\VERSION## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C} Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Implemented Categories Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Implemented Categories## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\InprocServer32 Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\InprocServer32## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\InprocServer32##ThreadingModel Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\ProgID Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\ProgID## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Programmable Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\Programmable## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\TypeLib Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\TypeLib## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\VERSION Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Classes\CLSID\{6CFD19FA-D47A-4C1D-8044-33235651387C}\VERSION## Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D708714-CF29-488B-98BE-24D1B96230AA} Elevated
Trojan.Downloader.CashDeluxe HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D708714-CF29-488B-98BE-24D1B96230AA}##


Also, a few weeks back we had a wicked virus that I can't remember the name of, Brave something or something that starts with Brav. We had to do a complete reformat and reinstall of the OS. Norton hogs everything and the vendor that makes our software we use for work, which is Case Catalyst says we needed to disable it because it interferes with realtime writing from our steno machines to the computer. We run Spyware doctor and Norton regularly, but it's always infected. Just a background if any of that helps.


Okay, now for the stuff you ACTUALLY wanted! :help:

-Stephanie

************************* Rustock.b-fix -- By ejvindh *************************
Sun 03/18/2007 21:43:44.84

No Rustock.b-rootkits found

******************************* End of Logfile ********************************





Adobe Flash Player 9 ActiveX
AppCore
Apple Software Update
ATI Control Panel
ATI Display Driver
AV
BCM V.92 56K Modem
Broadcom Gigabit Integrated Controller
caseCATalyst4
ccCommon
Dell ResourceCD
HijackThis 1.99.1
Intel® PROSet
Internet Worm Protection
iTunes
LiveUpdate 3.1 (Symantec Corporation)
Microsoft Office Standard Edition 2003
Microsoft Office XP Small Business
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
O2Micro Smartcard Driver
QuickTime
Samsung ML-1740 Series
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB920683)
SigmaTel AC97 Audio Drivers
SPBBC 32bit
Spyware Doctor 4.0
Symantec
SymNet
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918899




SmitFraudFix v2.150

Scan done at 21:53:28.48, Sun 03/18/2007
Run from C:\Documents and Settings\Rafael\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rafael


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rafael\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Rafael\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* I don't like Norton at all. you'll find that most techies don't. If I were to recommend a new antivirus, it would be Nod32:

www.eset.com

That is what I use and it meets all my needs. I don't use any other anti-spyware app along side it other than SpywareBlaster. So far this combination has proven to be sufficent for me. In most cases these are enough, at least for folks like me that have conservative surfing habits. I will say that doing the malware removal work like I'm doing here for you does take me to unsavory sites frequently when I'm checking out a URL in a log. Even with this, Nod32 and SpywareBlaster have been more than adequate to protect me. I probably should also add to that equation the fact that I am an advanced user so I know better than to say yes or OK to every little prompt to install this or download that comes my way while browsing. No matter how good your security is, it will not protect/prevent you from willingly allowing an infected file to be downloaded or installed.

Go ahead and do the following:

* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from ActiveScan
  • 0

#5
stephyny

stephyny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay, here's the ActiveScan log:


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Rafael\Desktop\Steph's Diagnostics\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Rafael\Desktop\Steph's Diagnostics\SmitfraudFix.zip[SmitfraudFix/Process.exe]



and here's HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 8:13:33 PM, on 3/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171162857960
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1171162815398
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe



Spyware doctor found this again after I removed it (or so I thought) just before I made the initial post:

Scans (basic information only):

Scan Results:
scan start: 3/20/2007 7:04:33 PM
scan stop: 3/20/2007 7:17:03 PM
scanned items: 74252
found items: 3
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk
Trojan.Downloader.CashDeluxe C:\System Volume Information\_restore{6530BB00-7968-4D03-B3D5-F149723748F6}\RP121\A0030634.dll Elevated
Trojan.Downloader.CashDeluxe C:\System Volume Information\_restore{6530BB00-7968-4D03-B3D5-F149723748F6}\RP121\A0030635.exe Elevated
Trojan.Downloader.CashDeluxe C:\System Volume Information\_restore{6530BB00-7968-4D03-B3D5-F149723748F6}\RP121\A0030636.dll Elevated



Thanks! :whistling:
  • 0

#6
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
The files SpySweeper found are all in System Restore. We'll clear it out by turning it off when I'm sure you're clean.

Go ahead and delete all the Smitfraudfix file you have.

How is th pc behaving now?
  • 0

#7
stephyny

stephyny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Well, I removed the Smith stuff (lol, sorry I forgot the whole thing), and the thing about it is that it's random with the bluescreen, so I don't know how it's behaving. But somehow that trojan thing keeps getting on there and I don't know how. Norton has been pretty much disabled for running in the background because it's interfering with industry software. What else should I have running as protection in the background that won't hog my computer all the time. Where are we at here anyway? Do I have anything going on?

Thanks :whistling:
  • 0

#8
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts

Norton has been pretty much disabled for running in the background because it's interfering with industry software. What else should I have running as protection in the background that won't hog my computer all the time.


I posted this for you in regards to the antivirus:


* I don't like Norton at all. you'll find that most techies don't. If I were to recommend a new antivirus, it would be Nod32:

www.eset.com

That is what I use and it meets all my needs. I don't use any other anti-spyware app along side it other than SpywareBlaster. So far this combination has proven to be sufficent for me. In most cases these are enough, at least for folks like me that have conservative surfing habits. I will say that doing the malware removal work like I'm doing here for you does take me to unsavory sites frequently when I'm checking out a URL in a log. Even with this, Nod32 and SpywareBlaster have been more than adequate to protect me. I probably should also add to that equation the fact that I am an advanced user so I know better than to say yes or OK to every little prompt to install this or download that comes my way while browsing. No matter how good your security is, it will not protect/prevent you from willingly allowing an infected file to be downloaded or installed.


You are playing with fire disabling your antivirus just so you can run an application. You are sure to become infected as a result. You need to get rid of Norton and get an antivirus that is lite on the system or you'll regret it. Nod32 fits that bill splendidly and it is the best in my opinion. I wouldn't have an antivirus that interfered with my other functions. You need to address this issue now if your data is at all important to you.

Well, I removed the Smith stuff (lol, sorry I forgot the whole thing), and the thing about it is that it's random with the bluescreen, so I don't know how it's behaving.


Has it crashed and blue screened recently? When was the last time it did?

But somehow that trojan thing keeps getting on there and I don't know how.


What "trojan thing"? Please be specific. I can't help you with this if I don't have some details. Tell me exactly what is being found and where. What is the exact file name and it's location?
  • 0

#9
stephyny

stephyny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Spyware doctor found this again after I removed it (or so I thought) just before I made the initial post:

Scans (basic information only):

Scan Results:
scan start: 3/20/2007 7:04:33 PM
scan stop: 3/20/2007 7:17:03 PM
scanned items: 74252
found items: 3
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk
Trojan.Downloader.CashDeluxe C:\System Volume Information\_restore{6530BB00-7968-4D03-B3D5-F149723748F6}\RP121\A0030634.dll Elevated
Trojan.Downloader.CashDeluxe C:\System Volume Information\_restore{6530BB00-7968-4D03-B3D5-F149723748F6}\RP121\A0030635.exe Elevated
Trojan.Downloader.CashDeluxe C:\System Volume Information\_restore{6530BB00-7968-4D03-B3D5-F149723748F6}\RP121\A0030636.dll Elevated



Thanks! :whistling:



So, the Trojan.downloader.cashdeluxe as stated above is the trojan. Will have to switch off and try the other program you mentioned. Haven't blue screened lately, actually since I made the original post......thank you! :blink:
  • 0

#10
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Those files are in System Restore also. We will clear those out when I'm sure everything else is clean. We clear out System Restore by turning it off. This removes all old restore points thereby removing all files as well. I always do that after everything else has been done just in case we need to use System Restore to restore to an earlier date if something goes wrong.

Let's run one more scan:

* Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..

  • 0

#11
stephyny

stephyny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
You rock my world! Thanks! :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 8:43:47 PM, on 3/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171162857960
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1171162815398
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Attached Files


  • 0

#12
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Assuming everything is OK on your end, you should be good to go now! :whistling:

* If I had you use Killbox to delete any files, go ahead and delete the C:\!Killbox folder then empty the Recycle Bin.


* Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


* Go to Windows update and install all "High Priority Updates".


* Now turn off System Restore:

On the Desktop, right-click My Computer.
Click "Properties".
Click the "System Restore" tab.
Put a check by "Turn off System Restore on all drives".
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To turn System Restore back on:

On the Desktop, right-click My Computer.
Click "Properties".
Click the "System Restore" tab.
Remove the check by "Turn off System Restore on all drives".
Click Apply, and then click OK.

To create a restore point:

Single-click "Start" and point to "All Programs".
Mouse over "Accessories", then "System Tools", and select "System Restore".
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the "Next" button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click "Create" and you're done.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP