Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

.:possible trojan.w32.looksky and others:.

Started by ra007 , Aug 16 2007 06:53 PM

Please log in to reply

#1
ra007

Posted 16 August 2007 - 06:53 PM

New Member

Member
6 posts

AS REQUESTED BY DON77:

---SMITFRAUDFIX LOG---

SmitFraudFix v2.212

Scan done at 17:31:06.01, Thu 2007-08-16
Run from C:\Documents and Settings\bpr.MHL\Desktop\Anti-Troj\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Texas Instruments
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 205.171.3.65

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2B3A2D6E-301A-49F6-82B8-5DB3CD37D709}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B69B6C61-A45F-4C7F-A647-38F217F21ABD}: NameServer=192.168.0.1,205.171.3.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2B3A2D6E-301A-49F6-82B8-5DB3CD37D709}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B69B6C61-A45F-4C7F-A647-38F217F21ABD}: NameServer=192.168.0.1,205.171.3.65
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2B3A2D6E-301A-49F6-82B8-5DB3CD37D709}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B69B6C61-A45F-4C7F-A647-38F217F21ABD}: NameServer=192.168.0.1,205.171.3.65
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

thanks!
-ra

Attached Files

SmitFraudFix1.txt 2.27KB 159 downloads

#2
ra007

Posted 16 August 2007 - 07:04 PM

New Member

Topic Starter
Member
6 posts

AS REQUESTED BY JWBIRDSONG

---HJT LOG---

Logfile of HijackThis v1.99.1
Scan saved at 17:47, on 2007-08-16
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\DOWNLO~1\WebEx\319\atnthost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\bpr.MHL\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\NT\nrcs.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\NT\nrcs.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {283A0EE3-2CC1-45AB-8207-B1D7B69C7F83} - C:\WINNT\duocore.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Microsoft ® Windows Vista/NT Runtime Compatibility Service] C:\WINNT\NT\nrcs.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B69B6C61-A45F-4C7F-A647-38F217F21ABD}: NameServer = 192.168.0.1,205.171.3.65
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AT Host Service (atnthost) - WebEx - C:\WINNT\DOWNLO~1\WebEx\319\atnthost.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINNT\NT\nrcs.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)

#3
jwbirdsong

Posted 16 August 2007 - 07:25 PM

Trusted Helper

Retired Staff
668 posts

You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

Go to Start | Run and type this in the box: services.msc

Locate these services, 'Windows Genuine Advantage Registration Service (wgareg) and Windows Vista/NT Runtime Compatibility Service (ntrcs)
then right click and select properties.
Under Service Status: select Stop
In the drop down box labeled, Startup Type: select Disabled

Open HijackThis and click on Do a system scan only. Place a check mark next to the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\NT\nrcs.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\NT\nrcs.exe
O2 - BHO: MSVPS System - {283A0EE3-2CC1-45AB-8207-B1D7B69C7F83} - C:\WINNT\duocore.dll (file missing)
O4 - HKLM\..\Run: [Microsoft ® Windows Vista/NT Runtime Compatibility Service] C:\WINNT\NT\nrcs.exe
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINNT\NT\nrcs.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)

Close ALL other open windows and programs and click Fix checked.

Now Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

Please then reboot your computer in Safe Mode (without Networking) by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the C:\SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back here along with a Combofix log..(below)

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

#4
ra007

Posted 16 August 2007 - 08:13 PM

New Member

Topic Starter
Member
6 posts

---SD Fix Log (post-cleanup) as requested by jwbirdsong---

SDFix: Version 1.98

Run by bpr on Thu 08/16/2007 at 6:56p

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ntrcs
wgareg

ImagePath:
C:\WINNT\NT\nrcs.exe
C:\WINNT\system32\wgareg.exe

ntrcs - Deleted
wgareg - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\dat.txt - Deleted

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\bpr.MHL\NetHood\ftp.asalegal.com\Desktop.ini
C:\Documents and Settings\bpr.MHL\NetHood\ftp.rainmakerlegal.com\Desktop.ini
C:\WINNT\SYSTEM32\PackethSvc.exe
C:\Documents and Settings\bpr.MHL\Application Data\MSN6\msnupdate!@#@.exe
C:\WINNT\SoftwareDistribution\Download\S-1-5-18d40b7b519a5ba97d7bcd356fed41771\BIT6.tmp
C:\Documents and Settings\bpr.MHL\My Documents\My Pictures\Bobby\~WRL0001.tmp
C:\Documents and Settings\bpr.MHL\My Documents\data\Word\~WRL0194.tmp
C:\Documents and Settings\bpr.MHL\Application Data\Microsoft\Word\~WRL3851.tmp
C:\Documents and Settings\bpr.MHL\Application Data\Microsoft\Word\~WRL3762.tmp
C:\Documents and Settings\bpr.MHL\Application Data\Microsoft\Word\~WRL3842.tmp
C:\Documents and Settings\bpr.MHL\Application Data\Microsoft\Word\~WRL3873.tmp
C:\Documents and Settings\bpr.MHL\Application Data\Microsoft\Word\~WRL3152.tmp

Finished

Attached Files

SD_Fix_Log.txt 1.83KB 185 downloads

#5
ra007

Posted 16 August 2007 - 08:15 PM

New Member

Topic Starter
Member
6 posts

---ComboFix Log (post-cleanup) as requested by jwbirdsong---

ComboFix 07-08-16.3 - "bpr" 2007-08-16 19:04:03.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.286 [GMT -7:00]

((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))

2007-08-16 19:04 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_3b8.dat
2007-08-16 18:59 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_340.dat
2007-08-16 18:55 <DIR> d-------- C:\WINNT\ERUNT
2007-08-16 17:12 16,384 --a------ C:\WINNT\SYSTEM32\Perflib_Perfdata_334.dat
2007-08-16 17:09 10,872 --a------ C:\WINNT\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-16 17:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-16 17:03 <DIR> d-------- C:\DOCUME~1\bpr.MHL\APPLIC~1\SUPERAntiSpyware.com
2007-08-16 17:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-16 15:49 53,248 --a------ C:\WINNT\SYSTEM32\Process.exe
2007-08-16 15:49 51,200 --a------ C:\WINNT\SYSTEM32\dumphive.exe
2007-08-16 15:49 288,417 --a------ C:\WINNT\SYSTEM32\SrchSTS.exe
2007-08-16 15:49 1,768 --a------ C:\WINNT\SYSTEM32\tmp.reg
2007-08-16 15:40 16,384 --a------ C:\WINNT\SYSTEM32\Perflib_Perfdata_33c.dat
2007-08-16 15:38 8,192 --a------ C:\WINNT\SYSTEM32\default_user_class.dat
2007-08-16 15:36 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-15 18:52 <DIR> d-------- C:\Program Files\MemInfo
2007-08-11 11:46 <DIR> d-------- C:\WINNT\$regcmp$
2007-08-11 11:46 <DIR> d-------- C:\Program Files\Registry Clean Expert
2007-08-11 10:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Drivers Headquarters
2007-08-11 10:21 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2007-08-11 09:36 <DIR> d-------- C:\Program Files\ToniArts
2007-08-11 09:25 <DIR> d-------- C:\DOCUME~1\bpr.MHL\APPLIC~1\Uniblue
2007-08-10 22:48 <DIR> d-------- C:\Program Files\Free&Easy Font Viewer
2007-08-02 21:15 <DIR> d-------- C:\Program Files\Microsoft Student
2007-08-02 21:15 <DIR> d-------- C:\Program Files\Learning Essentials

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

07-06-30 13:49 --------- d-------- C:\Program Files\IDA
07-06-30 13:49 --------- d-------- C:\DOCUME~1\bpr.MHL\APPLIC~1\Internet Download Accelerator
07-06-22 21:25 --------- d-------- C:\DOCUME~1\bpr.MHL\APPLIC~1\MSNInstaller
07-06-21 14:41 --------- d-------- C:\Program Files\UPHClean
07-06-21 14:26 --------- d-------- C:\Program Files\MSECache
07-06-20 22:03 --------- d-------- C:\DOCUME~1\bpr.MHL\APPLIC~1\MSN6
07-06-20 19:54 --------- d-------- C:\Program Files\Qwest
07-06-20 19:54 --------- d-------- C:\Program Files\Common Files\supportsoft
07-06-20 19:54 --------- d-------- C:\Program Files\Actiontec
07-06-20 19:54 --------- d-------- C:\Program Files\2Wire_USB_Drivers
01-06-19 13:05 271 --ah----- C:\Program Files\DESKTOP.INI
01-06-19 13:05 21952 --ah----- C:\Program Files\FOLDER.HTT
01-05-08 07:00 32528 --a------ C:\WINNT\inf\WBFIRDMA.SYS
00-04-19 08:09 61510 --a------ C:\WINNT\inf\probedis.exe
00-04-19 07:58 69702 --a------ C:\WINNT\inf\3cshtdwn.exe
00-04-19 07:56 49152 --a------ C:\WINNT\inf\3cmlink.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 C:\WINNT\SYSTEM32\mobsync.exe]
"NetscapeClient"="" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [06-11-03 18:20 ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [07-06-11 02:25 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\SYSTEM32\CTFMON.EXE]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [07-02-27 11:39 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 IntelATA;Intel Ultra ATA Controller;C:\WINNT\system32\DRIVERS\IntelAta.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINNT\system32\drivers\cdrbsvsd.sys
R1 cmosa;cmosa;C:\WINNT\system32\DRIVERS\cmosa.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys
R2 ATNT40K;ActiveTouch NT Appsharing Driver;C:\WINNT\system32\DRIVERS\ATNT40K.SYS
R2 atnthost;AT Host Service;"C:\WINNT\DOWNLO~1\WebEx\319\atnthost.exe"
R2 ATNTWINK;ActiveTouch Remote Control Driver;C:\WINNT\system32\DRIVERS\ATNTWINK.SYS
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
R3 3c1807pd;U.S. Robotics 56K Fax Win Int;C:\WINNT\system32\DRIVERS\3c1807pd.sys
R3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINNT\system32\DRIVERS\L8042mou.Sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 JL2005;JL2005A Toy Camera;C:\WINNT\system32\Drivers\toywdm.sys

Contents of the 'Scheduled Tasks' folder
2007-08-17 02:03:12 C:\WINNT\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-08-11 16:25:20 C:\WINNT\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-08-11 16:25:20 C:\WINNT\Tasks\Uniblue SpeedUpMyPC Nag.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-08-15 09:30:02 C:\WINNT\Tasks\DAILY.job - C:\Program Files\StompSoft\Backup MyPC 6\System\sbestart.exe
2007-08-15 02:55:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 19:04:50
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-16 19:05:19
C:\ComboFix-quarantined-files.txt ... 07-08-16 19:05
C:\ComboFix2.txt ... 07-08-16 15:41

--- E O F ---

Attached Files

Combo_Fix_Log.txt 7.03KB 223 downloads

#6
jwbirdsong

Posted 16 August 2007 - 09:48 PM

Trusted Helper

Retired Staff
668 posts

Please do an online scan with Kaspersky WebScanner
MUST USE IE

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

When done post the Kaspersky log and a fresh HijackThis log.

Edited by jwbirdsong, 16 August 2007 - 09:56 PM.

#7
ra007

Posted 16 August 2007 - 11:10 PM

New Member

Topic Starter
Member
6 posts

---ActiveScan Log Report as Requested by jwbirdsong---

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\SYSTEM32\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\NIRCMD.EXE
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\BPR.MHL\Desktop\Downloads\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\BPR.MHL\Desktop\Anti-Troj\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\BPR.MHL\Desktop\Anti-Troj\SmitfraudFix\RESTART.EXE
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\BPR.MHL\Desktop\Anti-Troj\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\Documents and Settings\BPR.MHL\Desktop\Robert A. Gavino\SPPScript4.zip[SPPScript4/moo.dll]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\APPS\Process.exe

Attached Files

Activescan.txt 3.24KB 157 downloads

#8
jwbirdsong

Posted 16 August 2007 - 11:38 PM

Trusted Helper

Retired Staff
668 posts

Good job your log is clean.

You can delete the combofix, Smitfraudfix, SDFix and C:\QooBox folder/files now..

You also NEED to update your Java (wayyy outdated) ...follow guidelines HERE

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??