Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account

Dowloader Virus Detected by Norton

Started by Guest_stormtrace_* , Sep 26 2007 08:30 PM

  • Please log in to reply

#1
Guest_stormtrace_*
Posted 26 September 2007 - 08:30 PM

Guest_stormtrace_*
  • Guest
My virus protection has detected the Downloader virus and i deleted the files that were in the quarantine folder. Can you help in removing this virus or Malware?? Below is the Hijack this scan that i performed:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:14 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Patten09\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: CIEIntegrator Object - {7A7F202E-AF91-4889-9DD5-2FE241085CC1} - C:\Program Files\AVSystemCare\Tools\popupg.dll
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr242.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [findfast] C:\Documents and Settings\Patten09\Application Data\findfast.exe
O4 - HKLM\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\AVSYST~1\uga6pcw.exe" -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [findfast] C:\Documents and Settings\Patten09\Application Data\findfast.exe
O4 - HKCU\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1153192440161
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1153193128836
O20 - AppInit_DLLs: C:\WINDOWS\system32\stdole32.dat
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

Attached Files


  • 0

Advertisements

#2
SNOWHITE
Posted 27 September 2007 - 02:16 AM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts
Hello stormtrace :)


My name is SNOWHITE and I will be helping you with your Malware problem.

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Step #2

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

NOTE: If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


NOTE: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


In your next post please include the following reports:
  • SDFix report
  • SmitfraudFix report
  • New HijackThis log
Let me know how the things went.

Regards
  • 0

#3
Guest_stormtrace_*
Posted 27 September 2007 - 04:57 AM

Guest_stormtrace_*
  • Guest
Hi Snowwhite,

Thanks so much for giving me some tools to run. Here are my findings:

I tried to run the SDfix but the tool seem to freeze and i was not able to run it from the local c: drive.

I then ran the Smitfraudfix.exe and selected search and I will post this log below:

SmitFraudFix v2.231

Scan done at 6:47:28.06, Thu 09/27/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\printer.exe FOUND !
C:\WINDOWS\system32\WinAvXX.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Patten09


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Patten09\Application Data

C:\Documents and Settings\Patten09\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\Patten09\STARTM~1\Programs\PestTrap FOUND !
C:\DOCUME~1\Patten09\STARTM~1\Programs\Startup\system.exe FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Patten09\FAVORI~1

C:\DOCUME~1\Patten09\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\Patten09\Desktop\PestTrap.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\PestTrap\ FOUND !
C:\Program Files\Video ActiveX Access\ FOUND !
C:\Program Files\Video ActiveX Object\ FOUND !
C:\Program Files\VirusProtectPro 3.4\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}"="haematobia"

[HKEY_CLASSES_ROOT\CLSID\{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}\InProcServer32]
@="C:\WINDOWS\system32\hjpprpu.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}\InProcServer32]
@="C:\WINDOWS\system32\hjpprpu.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{cea2e5cd-e849-427b-80f0-59298caef1c4}"="convalescently"

[HKEY_CLASSES_ROOT\CLSID\{cea2e5cd-e849-427b-80f0-59298caef1c4}\InProcServer32]
@="C:\WINDOWS\system32\cqsfk.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{cea2e5cd-e849-427b-80f0-59298caef1c4}\InProcServer32]
@="C:\WINDOWS\system32\cqsfk.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\stdole32.dat"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{707C6447-D9E2-4770-8C39-63039F3D7B51}: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{707C6447-D9E2-4770-8C39-63039F3D7B51}: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{707C6447-D9E2-4770-8C39-63039F3D7B51}: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=71.250.0.12 68.237.161.12


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Should I select the clean option in Smitfraudfix.exe??? Please let me know
  • 0

#4
SNOWHITE
Posted 27 September 2007 - 05:14 AM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts
stormtrace,

Step #1

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Step #2

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

In your next post please include the following reports:
  • SmitfraudFix report
  • dss scan reports main.txt and extra.txt
Let me know how the things went. Also please let me know, were you trying to run SDFix in Safe mode or Normal Mode?

Thank you!
Regards,
  • 0

#5
Guest_stormtrace_*
Posted 27 September 2007 - 05:44 AM

Guest_stormtrace_*
  • Guest
Hi Snowwhite,

I was running sdfix in safe mode not normal mode. Here are the smitfraudfix report and the dss scan report:

SmitFraudFix v2.231

Scan done at 7:16:39.88, Thu 09/27/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}"="haematobia"

[HKEY_CLASSES_ROOT\CLSID\{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}\InProcServer32]
@="C:\WINDOWS\system32\hjpprpu.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}\InProcServer32]
@="C:\WINDOWS\system32\hjpprpu.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{cea2e5cd-e849-427b-80f0-59298caef1c4}"="convalescently"

[HKEY_CLASSES_ROOT\CLSID\{cea2e5cd-e849-427b-80f0-59298caef1c4}\InProcServer32]
@="C:\WINDOWS\system32\cqsfk.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{cea2e5cd-e849-427b-80f0-59298caef1c4}\InProcServer32]
@="C:\WINDOWS\system32\cqsfk.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.downloads1.kaspersky-labs.com
192.168.200.3 ftp.downloads2.kaspersky-labs.com
192.168.200.3 ftp.downloads3.kaspersky-labs.com
192.168.200.3 ftp.f-secure.com
192.168.200.3 ftp.kasperskylab.ru
192.168.200.3 ftp.sophos.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 viruslist.ru
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3 www.avp.ch
192.168.200.3 www.avp.com
192.168.200.3 www.avp.ru
192.168.200.3 www.awaps.net
192.168.200.3 www.ca.com
192.168.200.3 www.f-secure.com
192.168.200.3 www.fastclick.net
192.168.200.3 www.grisoft.com
192.168.200.3 www.kaspersky-labs.com
192.168.200.3 www.kaspersky.com
192.168.200.3 www.kaspersky.ru
192.168.200.3 www.mcafee.com
192.168.200.3 www.my-etrust.com
192.168.200.3 www.nai.com
192.168.200.3 www.networkassociates.com
192.168.200.3 www.sophos.com
192.168.200.3 www.symantec.com
192.168.200.3 www.symantec.com
192.168.200.3 www.trendmicro.com
192.168.200.3 www.viruslist.com
192.168.200.3 www.viruslist.ru
192.168.200.3 www.virustotal.com
192.168.200.3 www3.ca.com

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\WinAvXX.exe Deleted
C:\Documents and Settings\Patten09\Application Data\Install.dat Deleted
C:\DOCUME~1\Patten09\STARTM~1\Programs\PestTrap Deleted
C:\DOCUME~1\Patten09\STARTM~1\Programs\Startup\system.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted
C:\DOCUME~1\Patten09\Desktop\PestTrap.lnk Deleted
C:\DOCUME~1\Patten09\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\PestTrap\ Deleted
C:\Program Files\Video ActiveX Access\ Deleted
C:\Program Files\Video ActiveX Object\ Deleted
C:\Program Files\VirusProtectPro 3.4\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{707C6447-D9E2-4770-8C39-63039F3D7B51}: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{707C6447-D9E2-4770-8C39-63039F3D7B51}: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{707C6447-D9E2-4770-8C39-63039F3D7B51}: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=71.250.0.12 68.237.161.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=71.250.0.12 68.237.161.12


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Here is the DSS scan report:

Deckard's System Scanner v20070905.67
Run by Patten09 on 2007-09-27 07:32:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 5 Restore Point(s) --
67: 2007-09-25 20:36:57 UTC - RP517 - System Checkpoint
66: 2007-09-24 14:13:37 UTC - RP516 - System Checkpoint
65: 2007-09-23 09:33:46 UTC - RP515 - System Checkpoint
64: 2007-09-22 08:33:46 UTC - RP514 - System Checkpoint
63: 2007-09-21 07:33:45 UTC - RP513 - System Checkpoint


-- First Restore Point --
1: 2007-07-20 11:53:14 UTC - RP451 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-27 07:35:28
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Verizon Online\Help Support\VerizonSupport.exe
C:\Program Files\Verizon Online\Help Support\SmartBridge\MotiveSB.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Patten09\Desktop\dss.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [findfast] C:\Documents and Settings\Patten09\Application Data\findfast.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [findfast] C:\Documents and Settings\Patten09\Application Data\findfast.exe
O4 - HKCU\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ntent/opuc3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1153192440161
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1153193128836
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ScsiAccess - c:\windows\system32\scsiaccess.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_125D&DEV_2838&SUBSYS_2838125D&REV_01\4&24AB0D93&0&10F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_125D&DEV_2838&SUBSYS_2838125D&REV_01\4&24AB0D93&0&10F0
Service:


-- Files created between 2007-08-27 and 2007-09-27 -----------------------------

2007-09-27 06:47:34 3094 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-27 06:47:10 0 d-------- C:\SmitfraudFix
2007-09-27 06:47:07 1007596 --a------ C:\SmitfraudFix.exe
2007-09-27 06:47:00 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-09-27 06:47:00 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-09-27 06:47:00 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-09-27 06:47:00 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-27 06:22:05 0 d-------- C:\WINDOWS\ERUNT
2007-09-26 21:26:21 46913 --a------ C:\WINDOWS\svhjdsah.exe
2007-09-25 17:39:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Help
2007-09-24 17:41:36 0 d--hs---- C:\UGA6P
2007-09-24 17:41:23 0 d-------- C:\Documents and Settings\Patten09\Application Data\AVSystemCare


-- Find3M Report ---------------------------------------------------------------

2007-09-24 17:41:00 0 d-------- C:\Program Files\Common Files
2007-08-09 13:39:15 2608 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [07/30/2002 11:35 AM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 12:28 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/2006 04:24 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/22/2006 10:09 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 01:03 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [09/30/2004 08:03 PM]
"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [05/23/2005 01:20 PM]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe" [04/13/2005 07:51 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [09/13/2004 03:49 PM]
"findfast"="C:\Documents and Settings\Patten09\Application Data\findfast.exe" []
"LaserJet"="C:\WINDOWS\system32\spoolvs.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [10/13/2004 12:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/08/2007 03:21 PM]
"findfast"="C:\Documents and Settings\Patten09\Application Data\findfast.exe" []
"LaserJet"="C:\WINDOWS\system32\spoolvs.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 7:28:24 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [11/4/2004 7:50:52 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [4/27/2004 2:04:44 AM]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/11/2004 4:58:16 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- Hosts -----------------------------------------------------------------------

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net

81 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-09-27 07:36:48 ------------

Please let me know what needs to be done next

Thanks again for all off your help..

Stormtrace
  • 0

#6
Guest_stormtrace_*
Posted 27 September 2007 - 05:52 AM

Guest_stormtrace_*
  • Guest
Hi Snowwhite,

I am currently doing a virus scan on the c: drive and it found 4 virus files all pertaining to the downloader virus. Just as a footnote. And it seems that my control panel is no longer on the desktop.. Any suggestions??

Stormtrace
  • 0

#7
SNOWHITE
Posted 27 September 2007 - 07:50 AM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts
Please try re-running SDFix like instructed in Post #2, after that follow these steps:

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

If SDFix fails again, just proceed with combofix and post back the report back here, together with new HijackThis log.

Regards,
  • 0

#8
Guest_stormtrace_*
Posted 27 September 2007 - 05:05 PM

Guest_stormtrace_*
  • Guest
Hi Snowwhite,

Do I Run the combofix in safe mode or regular?? Please let me know

Thanks

Stormtrace
  • 0

#9
Guest_stormtrace_*
Posted 27 September 2007 - 05:29 PM

Guest_stormtrace_*
  • Guest
Hi Snow white,

I was not able to run sdfix as it just froze. However i successfully ran the combofix in safe mode and here is the log report:

ComboFix 07-09-21.2 - "Patten09" 2007-09-27 19:15:15.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.392 [GMT -4:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Patten09\APPLIC~1.\AVSystemCare
C:\DOCUME~1\Patten09\APPLIC~1.\AVSystemCare\avtasks.dat
C:\DOCUME~1\Patten09\APPLIC~1.\AVSystemCare\Logs\av.log
C:\DOCUME~1\Patten09\APPLIC~1.\AVSystemCare\Logs\ga6Support.log
C:\DOCUME~1\Patten09\APPLIC~1.\AVSystemCare\Logs\update.log
C:\DOCUME~1\Patten09\APPLIC~1\drvcleaner.exe
C:\DOCUME~1\Patten09\APPLIC~1\errsafer.exe
C:\DOCUME~1\Patten09\APPLIC~1\install_en[2].exe
C:\DOCUME~1\Patten09\ResErrors.log
C:\UGA6P

.
((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.

2007-09-27 19:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 19:13 1,486,342 --a------ C:\ComboFix.exe
2007-09-27 08:20 <DIR> d-------- C:\SmitfraudFix
2007-09-27 08:20 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Help
2007-09-27 07:23 <DIR> d-------- C:\Deckard
2007-09-27 06:47 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-27 06:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-27 06:47 3,094 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-27 06:47 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-27 06:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-27 06:47 1,007,596 --a------ C:\SmitfraudFix.exe
2007-09-27 06:22 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-26 21:26 46,913 --a------ C:\WINDOWS\svhjdsah.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-15 16:20 95696 --a------ C:\DOCUME~1\Patten09\APPLIC~1\sysdoctor.exe
2007-08-15 16:20 87248 --a------ C:\DOCUME~1\Patten09\APPLIC~1\antivir.exe
2007-08-06 15:45 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2004-12-22 08:07 92880 --a------ C:\DOCUME~1\Patten09\APPLIC~1\errprotec.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-22 10:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-09-30 20:03]
"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 13:20]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe" [2005-04-13 19:51]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"findfast"="C:\Documents and Settings\Patten09\Application Data\findfast.exe" []
"LaserJet"="C:\WINDOWS\system32\spoolvs.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-08 15:21]
"findfast"="C:\Documents and Settings\Patten09\Application Data\findfast.exe" []
"LaserJet"="C:\WINDOWS\system32\spoolvs.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-04-27 02:04:44]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-11 16:58:16]

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - DCFS2K
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 19:17:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 19:18:52
C:\ComboFix-quarantined-files.txt ... 2007-09-27 19:18
.
--- E O F ---



HERE IS THE NEW HIJACK THIS LOG REPORT:

Logfile of HijackThis v1.99.1
Scan saved at 7:25:41 PM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Patten09\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [findfast] C:\Documents and Settings\Patten09\Application Data\findfast.exe
O4 - HKLM\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [findfast] C:\Documents and Settings\Patten09\Application Data\findfast.exe
O4 - HKCU\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1153192440161
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1153193128836
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
  • 0

#10
Guest_stormtrace_*
Posted 29 September 2007 - 07:00 AM

Guest_stormtrace_*
  • Guest
Hi Snow white,

Just wanted to let you know that this seem to fix the problems and everything is back to normal. I appreciate all of your help and keep up the great work!!!!


Thanks

stormtrace
  • 0

#11
SNOWHITE
Posted 30 September 2007 - 02:28 AM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts

Hi Snow white,

Just wanted to let you know that this seem to fix the problems and everything is back to normal. I appreciate all of your help and keep up the great work!!!!


Thanks

stormtrace

Hello stormtrace,

There is still some job to do here, please stay with me until i tell you that you are ready to go :)

Please follow the steps below exactly in the order they are written:

Step #1

Download the HostsXpert 3.7 - Hosts File Manager.
  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Step #2

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [findfast] C:\Documents and Settings\Patten09\Application Data\findfast.exe
O4 - HKLM\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [findfast] C:\Documents and Settings\Patten09\Application Data\findfast.exe
O4 - HKCU\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #2

Please run ComboFix in Normal Mode.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\DOCUME~1\Patten09\APPLIC~1\errprotec.exe

Collect::[29]
C:\WINDOWS\svhjdsah.exe

Suspect::[29]
C:\DOCUME~1\Patten09\APPLIC~1\sysdoctor.exe
C:\DOCUME~1\Patten09\APPLIC~1\antivir.exe
C:\Documents and Settings\Patten09\Application Data\findfast.exe


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
Once the file has been submitted, please DELETE both files on your desktop.

Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run in Normal Mode after ComboFix has finished its work.)
Regards

Edited by SNOWHITE, 30 September 2007 - 02:36 AM.

  • 0

#12
Guest_stormtrace_*
Posted 07 October 2007 - 06:39 AM

Guest_stormtrace_*
  • Guest
Hi Snowwhite,

I have to get this machine back from my brother in law and then I will Finish this process up with you. I will post as soon as i get this back.


Thanks again for all of your assistance

Stormtrace
  • 0

#13
SNOWHITE
Posted 08 October 2007 - 01:57 AM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts

Hi Snowwhite,

I have to get this machine back from my brother in law and then I will Finish this process up with you. I will post as soon as i get this back.


Thanks again for all of your assistance

Stormtrace

Hello Stormtrace,
Thanks for letting me know :)

Regards
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP