Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32.Trojan.Yspy

Started by kelkay , Jun 10 2008 07:09 AM

  • This topic is locked This topic is locked

#61
koko_crunch
Posted 17 June 2008 - 04:50 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Please make sure you login to an account with Administrator right before proceeding with the fix.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

First, Since they're giving us a hard time. Let's switch off all firewalls other than the Windows built-in firewall.

Enable Windows Firewall in Windows XP SP2
1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click On (recommended), and then click OK.

Disable ZoneAlarm firewall
http://www.leeindy.c...hutdown-1.shtml

Disable Norton Firewall
http://www.iinet.net...lls/norton.html

Next,

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.

Then,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Finally,

Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


Please post back with the following logs.
- SDFIX log
- Smitfraudfix log
- New HijackThis log

Edited by koko_crunch, 17 June 2008 - 04:50 PM.

  • 0

Advertisements

#62
kelkay
Posted 18 June 2008 - 09:28 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Sorry I will get to this when I can. I have been on a mini-vacation, and haven't had time to do these latest scans, and downloads. I will get to it when I can. I really appreciate your help. When I get time to do it, I will...and I will post my data afterwards. You have been such a great help. I really appreciate it. :)
  • 0

#63
koko_crunch
Posted 20 June 2008 - 01:05 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
No problem. Just get to it when you can.
Enjoy your mini-vacation. :)
  • 0

#64
kelkay
Posted 23 June 2008 - 01:09 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
:) Mini-vacation is now over. I am gonna start on the next steps. It looks a bit challenging for me. I will give them a try.
  • 0

#65
kelkay
Posted 23 June 2008 - 01:14 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I have Registry Mechanic, could I just use that instead? I see the daft.exe file is a registry program.
  • 0

#66
kelkay
Posted 23 June 2008 - 01:18 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Okay the first step has been done. Only one file needed fixing. Now on to the next step....
  • 0

#67
koko_crunch
Posted 23 June 2008 - 02:43 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hey kelkay,

Nice to hear form you again.
How's your "mini-vacation"?

Did you go over the steps one by one? Please do.
Post back with the required logs when finished. :)
  • 0

#68
kelkay
Posted 23 June 2008 - 03:58 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
My little vacation was fishing... :) it was pretty good. I needed a break. I had to go get some printer paper cause I was out. I am going on to the next step now. Sorry it took me so long to get back on this. These infection/trojans/malware or whatever are getting on my nerves. I feel like even if I get them cleaned out, they will just be right back. I have done the page about preventing them, but still seem to get them. I wonder if it is My Space stuff the kids are on...my son views You Tube a lot as well.
  • 0

#69
koko_crunch
Posted 23 June 2008 - 04:39 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts

My little vacation was fishing... yes.gif it was pretty good. I needed a break. I had to go get some printer paper cause I was out. I am going on to the next step now. Sorry it took me so long to get back on this.


That very nice. Looks like you enjoyed it very much. Good for you. :)
That perfectly fine. Just post back when you're done.

I feel like even if I get them cleaned out, they will just be right back. I have done the page about preventing them, but still seem to get them. I wonder if it is My Space stuff the kids are on...my son views You Tube a lot as well.


There's no guarantee that you won't be infected again.
But, there are steps you might take to limit the chances.
Malware attacks at different fronts, making sure your defense are up on those areas will surely minimize the occurrence.
  • 0

#70
kelkay
Posted 23 June 2008 - 04:41 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Okay I did this, now I will do a HiJack this scan/log.



SDFix: Version 1.196
Run by Kelly on Mon 06/23/2008 at 17:10

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\AUDACI~1.EXE - Deleted
C:\COFFEE~1.EXE - Deleted
C:\COFFEE~2.EXE - Deleted
C:\WINDOWS\system32\1D.tmp - Deleted


Could Not Remove C:\csrss.exe
Could Not Remove C:\winstall.exe
Could Not Remove C:\WINDOWS\2020search.dll
Could Not Remove C:\WINDOWS\2020search2.dll
Could Not Remove C:\WINDOWS\avpcc.dll
Could Not Remove C:\WINDOWS\csrss.exe
Could Not Remove C:\WINDOWS\ctrlpan.dll
Could Not Remove C:\WINDOWS\explore.exe
Could Not Remove C:\WINDOWS\FVProtect.exe
Could Not Remove C:\WINDOWS\iexplorer.exe
Could Not Remove C:\WINDOWS\lsasss.exe
Could Not Remove C:\WINDOWS\msconfd.dll
Could Not Remove C:\WINDOWS\mssvr.exe
Could Not Remove C:\WINDOWS\olehelp.exe
Could Not Remove C:\WINDOWS\qttasks.exe
Could Not Remove C:\WINDOWS\rundll16.exe
Could Not Remove C:\WINDOWS\services.exe
Could Not Remove C:\WINDOWS\sistem.exe
Could Not Remove C:\WINDOWS\svchost.exe
Could Not Remove C:\WINDOWS\system32\alsys.exe
Could Not Remove C:\WINDOWS\system32\bho.dll
Could Not Remove C:\WINDOWS\system32\bootconf.exe
Could Not Remove C:\WINDOWS\system32\e1.dll
Could Not Remove C:\WINDOWS\system32\emesx.dll
Could Not Remove C:\WINDOWS\system32\iexplore.exe
Could Not Remove C:\WINDOWS\system32\iexplorer.exe
Could Not Remove C:\WINDOWS\system32\internet.exe
Could Not Remove C:\WINDOWS\system32\ipv6mons.dll
Could Not Remove C:\WINDOWS\system32\msclt.exe
Could Not Remove C:\WINDOWS\system32\msmsgs.exe
Could Not Remove C:\WINDOWS\system32\mstc.exe
Could Not Remove C:\WINDOWS\system32\msupdate.exe
Could Not Remove C:\WINDOWS\system32\mswins.exe
Could Not Remove C:\WINDOWS\system32\nordsys.exe
Could Not Remove C:\WINDOWS\system32\ppl.exe
Could Not Remove C:\WINDOWS\system32\remote.exe
Could Not Remove C:\WINDOWS\system32\rundll.exe
Could Not Remove C:\WINDOWS\system32\rx.exe
Could Not Remove C:\WINDOWS\system32\scvhost32.exe
Could Not Remove C:\WINDOWS\system32\se.exe
Could Not Remove C:\WINDOWS\system32\server.exe
Could Not Remove C:\WINDOWS\system32\svchost32.exe
Could Not Remove C:\WINDOWS\system32\svhost.exe
Could Not Remove C:\WINDOWS\system32\svshost.exe
Could Not Remove C:\WINDOWS\system32\sys.exe
Could Not Remove C:\WINDOWS\system32\taskgmr.exe
Could Not Remove C:\WINDOWS\system32\update.exe
Could Not Remove C:\WINDOWS\system32\wgareg.exe
Could Not Remove C:\WINDOWS\system32\wgavm.exe
Could Not Remove C:\WINDOWS\system32\win32.exe
Could Not Remove C:\WINDOWS\system32\windll.exe
Could Not Remove C:\WINDOWS\system32\windowz.exe
Could Not Remove C:\WINDOWS\system32\winhost.exe
Could Not Remove C:\WINDOWS\system32\winsvc.exe
Could Not Remove C:\WINDOWS\system32\winsys32.exe
Could Not Remove C:\WINDOWS\system32\winupd.exe
Could Not Remove C:\WINDOWS\system32\winxp.exe
Could Not Remove C:\WINDOWS\system32\zlbw.dll
Could Not Remove C:\WINDOWS\userconfig9x.dll
Could Not Remove C:\WINDOWS\voiceip.dll
Could Not Remove C:\WINDOWS\winlogon.exe
Could Not Remove C:\WINDOWS\winserv.exe
Could Not Remove C:\WINDOWS\xpupdate.exe
Could Not Remove C:\WINDOWS\system32\wincom32.sys



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 17:30:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1164757353\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1164757353\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Enabled:Paltalk 9 beta"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"="C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe:*:Enabled:Zoo Tycoon 2 Executable"
"C:\\Program Files\\Common Files\\AOL\\1164757353\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1164757353\\EE\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\kontiki\\KService.exe"="C:\\Program Files\\kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

Remaining Files :

C:\csrss.exe Found
C:\winstall.exe Found
C:\WINDOWS\2020search.dll Found
C:\WINDOWS\2020search2.dll Found
C:\WINDOWS\avpcc.dll Found
C:\WINDOWS\csrss.exe Found
C:\WINDOWS\ctrlpan.dll Found
C:\WINDOWS\explore.exe Found
C:\WINDOWS\FVProtect.exe Found
C:\WINDOWS\iexplorer.exe Found
C:\WINDOWS\lsasss.exe Found
C:\WINDOWS\msconfd.dll Found
C:\WINDOWS\mssvr.exe Found
C:\WINDOWS\olehelp.exe Found
C:\WINDOWS\qttasks.exe Found
C:\WINDOWS\rundll16.exe Found
C:\WINDOWS\services.exe Found
C:\WINDOWS\sistem.exe Found
C:\WINDOWS\svchost.exe Found
C:\WINDOWS\system32\alsys.exe Found
C:\WINDOWS\system32\bho.dll Found
C:\WINDOWS\system32\bootconf.exe Found
C:\WINDOWS\system32\e1.dll Found
C:\WINDOWS\system32\emesx.dll Found
C:\WINDOWS\system32\iexplore.exe Found
C:\WINDOWS\system32\iexplorer.exe Found
C:\WINDOWS\system32\internet.exe Found
C:\WINDOWS\system32\ipv6mons.dll Found
C:\WINDOWS\system32\msclt.exe Found
C:\WINDOWS\system32\msmsgs.exe Found
C:\WINDOWS\system32\mstc.exe Found
C:\WINDOWS\system32\msupdate.exe Found
C:\WINDOWS\system32\mswins.exe Found
C:\WINDOWS\system32\nordsys.exe Found
C:\WINDOWS\system32\ppl.exe Found
C:\WINDOWS\system32\remote.exe Found
C:\WINDOWS\system32\rundll.exe Found
C:\WINDOWS\system32\rx.exe Found
C:\WINDOWS\system32\scvhost32.exe Found
C:\WINDOWS\system32\se.exe Found
C:\WINDOWS\system32\server.exe Found
C:\WINDOWS\system32\svchost32.exe Found
C:\WINDOWS\system32\svhost.exe Found
C:\WINDOWS\system32\svshost.exe Found
C:\WINDOWS\system32\sys.exe Found
C:\WINDOWS\system32\taskgmr.exe Found
C:\WINDOWS\system32\update.exe Found
C:\WINDOWS\system32\wgareg.exe Found
C:\WINDOWS\system32\wgavm.exe Found
C:\WINDOWS\system32\win32.exe Found
C:\WINDOWS\system32\windll.exe Found
C:\WINDOWS\system32\windowz.exe Found
C:\WINDOWS\system32\winhost.exe Found
C:\WINDOWS\system32\winsvc.exe Found
C:\WINDOWS\system32\winsys32.exe Found
C:\WINDOWS\system32\winupd.exe Found
C:\WINDOWS\system32\winxp.exe Found
C:\WINDOWS\system32\zlbw.dll Found
C:\WINDOWS\userconfig9x.dll Found
C:\WINDOWS\voiceip.dll Found
C:\WINDOWS\winlogon.exe Found
C:\WINDOWS\winserv.exe Found
C:\WINDOWS\xpupdate.exe Found
C:\WINDOWS\system32\wincom32.sys Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 27 Nov 2006 211 A.SHR --- "C:\BOOT.BAK"
Thu 5 Jun 2008 274 ...HR --- "C:\Program Files\adwareremovergold.com"
Thu 5 Jun 2008 274 ...HR --- "C:\Program Files\bulletproofsoft.com"
Thu 5 Jun 2008 236 ...HR --- "C:\Program Files\dealhelper.com inc"
Thu 5 Jun 2008 228 ...HR --- "C:\Program Files\gator.com"
Thu 5 Jun 2008 274 ...HR --- "C:\Program Files\malwaresweeper.com"
Thu 5 Jun 2008 274 ...HR --- "C:\Program Files\pcprivacysoftware.com"
Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Tue 12 Jul 2005 54,872 A..H. --- "C:\Program Files\America Online 9.0a\AOLphx.exe"
Tue 12 Jul 2005 31,832 A..H. --- "C:\Program Files\America Online 9.0a\rbm.exe"
Sun 21 Oct 2007 72,704 ..SHR --- "C:\Program Files\Malware Immunizer\MI.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 28 Nov 2006 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Tue 25 Sep 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 25 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 19 Sep 2005 788,568 A..H. --- "C:\Program Files\Online Services\Canada\KOL\client.exe"
Wed 17 Aug 2005 13,459,528 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe"
Wed 17 Aug 2005 233,472 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe"
Wed 17 Aug 2005 389,120 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT2.tmp"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL"
Thu 1 Nov 2007 10,186 A.SH. --- "C:\Documents and Settings\Kelly\Application Data\Roxio\Dragon\DiscInfoCache\TSSTcorp_CD_DVDW_TS-H652L_0603_300_DICV018_DRGV2050108.TMP"
Sat 21 Jun 2008 2,146 A.SH. --- "C:\Documents and Settings\Kelly\Application Data\Roxio\Dragon\DiscInfoCache\TSSTcorp_CD_DVDW_TS-H652L_0603_000_DICV018_DRGV2050108.TMP"
Mon 19 Sep 2005 77,824 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll"
Mon 19 Sep 2005 6,961,146 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip"
Mon 19 Sep 2005 3,058,888 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe"
Mon 19 Sep 2005 307,289 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll"
Mon 19 Sep 2005 7,083,361 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe"
Wed 21 Sep 2005 1,960,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip"
Mon 19 Sep 2005 550,488 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe"
Mon 19 Sep 2005 553,984 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe"
Mon 19 Sep 2005 2,242,759 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe"
Mon 19 Sep 2005 24,064 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll"
Mon 19 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll"
Mon 19 Sep 2005 748,728 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe"
Mon 19 Sep 2005 7,515,304 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe"
Mon 19 Sep 2005 86,016 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll"
Mon 19 Sep 2005 45,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll"
Mon 19 Sep 2005 5,111,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE"
Mon 19 Sep 2005 4,378,673 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe"
Mon 19 Sep 2005 360,448 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe"
Mon 19 Sep 2005 40,960 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll"
Mon 19 Sep 2005 473,736 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe"
Mon 19 Sep 2005 12,288 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll"
Mon 19 Sep 2005 516,032 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe"
Mon 19 Sep 2005 597,080 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe"
Mon 19 Sep 2005 590,688 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe"
Mon 19 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll"
Mon 19 Sep 2005 49,152 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll"
Mon 19 Sep 2005 61,440 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe"
Mon 19 Sep 2005 3,858,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe"

Finished!
  • 0

Advertisements

#71
kelkay
Posted 23 June 2008 - 04:43 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:42:50, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\PROGRA~1\DrWeb\SpiderNT.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\PROGRA~1\DrWeb\spiderui.exe
C:\Program Files\DrWeb\spiderml.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - (no file)
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spiderui.exe /agent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} (OMN Player Support) - http://kdx.omn.org/s...ayerSupport.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} (OMN Media Publisher) - http://kdx.omn.org/s...iaPublisher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave...h2.1.0.0.67.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1165348971449
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.omn.org/s...ery/omn/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\SpiderNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10895 bytes
  • 0

#72
kelkay
Posted 23 June 2008 - 04:44 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
C:\Program Files\Online Services\Canada\KOL\comps


As far as these Canada/KOL files.....I have NO IDEA what they are. I haven't looked over the rest. I will do your next step.
  • 0

#73
kelkay
Posted 23 June 2008 - 05:14 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
SmitFraudFix v2.328

Scan done at 18:05:01.71, Mon 06/23/2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

Problem while deleting C:\winstall.exe
Problem while deleting C:\WINDOWS\ads.js
Problem while deleting C:\WINDOWS\avpcc.dll
Problem while deleting C:\WINDOWS\BTGrab.dll
Problem while deleting C:\WINDOWS\dlmax.dll
Problem while deleting C:\WINDOWS\iexplorer.exe
Problem while deleting C:\WINDOWS\olehelp.exe
Problem while deleting C:\WINDOWS\Pynix.dll
Problem while deleting C:\WINDOWS\svchost.exe
Problem while deleting C:\WINDOWS\xpupdate.exe
Problem while deleting C:\WINDOWS\ZServ.dll
Problem while deleting C:\WINDOWS\system32\a.exe
Problem while deleting C:\WINDOWS\system32\anti_troj.exe
Problem while deleting C:\WINDOWS\system32\bridge.dll
Problem while deleting C:\WINDOWS\system32\dcomcfg.exe
Problem while deleting C:\WINDOWS\system32\dfrgsrv.exe
Problem while deleting C:\WINDOWS\system32\dxmpp.dll
Problem while deleting C:\WINDOWS\system32\ginuerep.dll
Problem while deleting C:\WINDOWS\system32\higehsg.dll
Problem while deleting C:\WINDOWS\system32\intmon.exe
Problem while deleting C:\WINDOWS\system32\ishost.exe
Problem while deleting C:\WINDOWS\system32\ismon.exe
Problem while deleting C:\WINDOWS\system32\isnotify.exe
Problem while deleting C:\WINDOWS\system32\issearch.exe
Problem while deleting C:\WINDOWS\system32\msbe.dll
Problem while deleting C:\WINDOWS\system32\mscornet.exe
Problem while deleting C:\WINDOWS\system32\mssearchnet.exe
Problem while deleting C:\WINDOWS\system32\msmsgs.exe
Problem while deleting C:\WINDOWS\system32\MTC.dll
Problem while deleting C:\WINDOWS\system32\nvctrl.exe
Problem while deleting C:\WINDOWS\system32\nuclabdll.dll
Problem while deleting C:\WINDOWS\system32\nvms.dll
Problem while deleting C:\WINDOWS\system32\regperf.exe
Problem while deleting C:\WINDOWS\system32\replmap.dll
Problem while deleting C:\WINDOWS\system32\shnlog.exe
Problem while deleting C:\WINDOWS\system32\twain32.dll
Problem while deleting C:\WINDOWS\system32\wiatwain.dll
Problem while deleting C:\WINDOWS\system32\xkrdk.dll
Problem while deleting C:\WINDOWS\system32\zlbw.dll
Problem while deleting C:\Program Files\Accoona\
Problem while deleting C:\Program Files\eMedia Codec\
C:\Program Files\PSGuard\ Deleted
C:\Program Files\Security IGuard\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS2\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BC66573B-7393-429F-9833-129CDC3EBDFC}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

Problem while deleting C:\winstall.exe
Problem while deleting C:\WINDOWS\BTGrab.dll
Problem while deleting C:\WINDOWS\dlmax.dll
Problem while deleting C:\WINDOWS\iexplorer.exe
Problem while deleting C:\WINDOWS\Pynix.dll
Problem while deleting C:\WINDOWS\ZServ.dll
Problem while deleting C:\WINDOWS\system32\bridge.dll
Problem while deleting C:\WINDOWS\system32\dcomcfg.exe
Problem while deleting C:\WINDOWS\system32\dfrgsrv.exe
Problem while deleting C:\WINDOWS\system32\dxmpp.dll
Problem while deleting C:\WINDOWS\system32\ginuerep.dll
Problem while deleting C:\WINDOWS\system32\higehsg.dll
Problem while deleting C:\WINDOWS\system32\ishost.exe
Problem while deleting C:\WINDOWS\system32\ismon.exe
Problem while deleting C:\WINDOWS\system32\isnotify.exe
Problem while deleting C:\WINDOWS\system32\issearch.exe
Problem while deleting C:\WINDOWS\system32\mscornet.exe
Problem while deleting C:\WINDOWS\system32\mssearchnet.exe
Problem while deleting C:\WINDOWS\system32\nvctrl.exe
Problem while deleting C:\WINDOWS\system32\regperf.exe
Problem while deleting C:\WINDOWS\system32\replmap.dll
Problem while deleting C:\WINDOWS\system32\twain32.dll
Problem while deleting C:\WINDOWS\system32\wiatwain.dll
Problem while deleting C:\WINDOWS\system32\xkrdk.dll
Problem while deleting C:\WINDOWS\system32\zlbw.dll
Problem while deleting C:\Program Files\Accoona
Problem while deleting C:\Program Files\eMedia Codec


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#74
kelkay
Posted 23 June 2008 - 05:17 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
There's no guarantee that you won't be infected again.
But, there are steps you might take to limit the chances.
Malware attacks at different fronts, making sure your defense are up on those areas will surely minimize the occurrence.
[/quote]

Yes I am quite aware of that, it has happened a few times now. I have taken all the precautions possible I believe. Thank you.
I don't know what I would do without nice helpful people like you. That makes these things a little more bearable. :)
  • 0

#75
kelkay
Posted 23 June 2008 - 05:18 PM

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:05, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\PROGRA~1\DrWeb\SpiderNT.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\PROGRA~1\DrWeb\spiderui.exe
C:\Program Files\DrWeb\spiderml.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - (no file)
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spiderui.exe /agent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} (OMN Player Support) - http://kdx.omn.org/s...ayerSupport.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} (OMN Media Publisher) - http://kdx.omn.org/s...iaPublisher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave...h2.1.0.0.67.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1165348971449
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.omn.org/s...ery/omn/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\SpiderNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10815 bytes
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP