Remove Trojans


Recommended Posts

Hi,

I'm getting messages about having spyware when I start ie. the first one is a message box telling me I have W32.Myzor.FK@yf and wanting me to buyt he removal tool. then I get a ballon saying it found Trojan-Spy.Win32@mx and wanting me to buy he removal tool, Help!

Thanks

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:36:14 PM, on 12/15/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Video Add-on\icthis.exe

C:\Program Files\Video Add-on\isfmntr.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\Video Add-on\isfmm.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

H:\My Music\iTunes\iTunesHelper.exe

D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\QUICKEN2007\QWDLLS.EXE

D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

D:\Backup\Down Load\HJTInstall.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014} - C:\Program Files\Video Add-on\isfmdl.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: IE Custom Tools - {F2BADA0D-FD61-45EF-A994-64A073FD6613} - C:\Program Files\Video Add-on\ictmdl.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe

O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 7052 bytes

Link to post
Share on other sites

Hello and Welcome to BT. :)

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Link to post
Share on other sites
SmitfraudFix (by S!Ri) to your Desktop.

Thanks for helping MoNsTeR!

When I click on...

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

I get 'Internet explorer cannot display webpage.'

I tried http://siri.urz.free.fr and clicked on smitfraudfix, same result.

Edit: BTW it has also hijaked my homepage to http://iesecurepages.com/redirect.php

Edit II: I ran ms malicious software removal tool from http://www.microsoft.com/security/malwareremove/default.mspx

That seems to have gotten rid of the messages (and the hijack).

I re ran hjt, here's the log

Regards

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:03:16 AM, on 12/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

H:\My Music\iTunes\iTunesHelper.exe

D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\QUICKEN2007\QWDLLS.EXE

D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

D:\Backup\Down Load\HJTInstall.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 6500 bytes

Edited by pudgmo
Link to post
Share on other sites

Hello,

If you have a differnent browser installed, try downloading it through it.

If not try the following, then retry the download.

Download the HostsXpert 4.2 - Hosts File Manager.

  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Link to post
Share on other sites

Thanks,

I ran HostsXpert with all the steps. Same result with smitfraudfix. I also tried it with firefox.

Edit: I shutdown zone alarm and got smitfraudfix, here's the log.

SmitFraudFix v2.269

Scan done at 12:50:19.92, Sun 12/16/2007

Run from C:\Program Files\Mozilla Firefox\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

H:\My Music\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\QUICKEN2007\QWDLLS.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\wowlze.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Helper\ FOUND !

C:\Program Files\Video Add-on\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

!!!Attention, following keys are not inevitably infected!!!

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport

DNS Server Search Order: 192.168.0.1

DNS Server Search Order: 205.171.3.65

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CS1\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CS2\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by pudgmo
Link to post
Share on other sites

Glad you got it to work!

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Link to post
Share on other sites

Thanks!

I followed the steps, it didn't ask to replace wininet.dll, it did launch disk cleanup 2X's??? Also it did remove my desktop background. here are the results from rapport.txt...

SmitFraudFix v2.269

Scan done at 7:05:46.31, Tue 12/18/2007

Run from C:\Documents and Settings\Owner\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\wowlze.dll Deleted

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

C:\Program Files\Helper\ Deleted

C:\Program Files\Video Add-on\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CS1\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CS2\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Link to post
Share on other sites

Hey,

Please download Deckard's System Scanner (DSS) to your desktop.

  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - Main.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
  • An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.
  • Please go to that folder and also copy the contents of Extra.txt to your post as well.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Link to post
Share on other sites

Main.txt:

Deckard's System Scanner v20071014.68

Run by Owner on 2007-12-20 17:25:07

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

67: 2007-12-20 23:25:11 UTC - RP103 - Deckard's System Scanner Restore Point

66: 2007-12-20 16:19:21 UTC - RP102 - System Checkpoint

65: 2007-12-19 15:19:22 UTC - RP101 - System Checkpoint

64: 2007-12-18 14:41:51 UTC - RP100 - System Checkpoint

63: 2007-12-16 22:14:14 UTC - RP99 - System Checkpoint

-- First Restore Point --

1: 2007-09-22 00:15:46 UTC - RP37 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:26:27 PM, on 12/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

H:\My Music\iTunes\iTunesHelper.exe

D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\QUICKEN2007\QWDLLS.EXE

D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

D:\Backup\Down Load\dss.exe

D:\Backup\DOWNLO~1\Owner.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5729 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PQV2i - c:\windows\system32\drivers\pqv2i.sys <Not Verified; StorageCraft; V2i Protector>

R1 PQIMount - c:\windows\system32\drivers\pqimount.sys <Not Verified; PowerQuest Corporation; V2i Protector>

R3 SunkFilt (Alcor Micro Corp Reader) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-12-14 09:40:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-11-20 and 2007-12-20 -----------------------------

2007-12-18 07:05:03 0 d-------- C:\Documents and Settings\Owner\SmitfraudFix

2007-12-16 12:50:23 3712 --a------ C:\WINDOWS\system32\tmp.reg

2007-12-16 12:48:10 1125659 --a------ C:\SmitfraudFix.exe

2007-12-16 12:41:15 0 d-------- C:\HostsXpert

2007-12-16 12:34:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla

2007-12-15 11:41:23 0 d-------- C:\Program Files\WinSpyKiller

2007-11-30 18:53:15 0 d-------- C:\Documents and Settings\Owner\Application Data\iWin

2007-11-30 18:25:00 0 d-------- C:\Program Files\Alawar

2007-11-29 08:11:53 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

2007-11-29 07:25:04 0 d-------- C:\sj700

2007-11-29 07:19:51 53248 --a------ C:\WINDOWS\system32\hpsjusd.dll <Not Verified; Hewlett-Packard Company; Hewlett-Packard Hpsjusd>

2007-11-29 07:19:51 32768 --a------ C:\WINDOWS\system32\hpsjrreg.exe <Not Verified; Hewlett-Packard; HPSJRREG Application>

2007-11-29 07:19:43 0 d-------- C:\sj653

2007-11-29 07:19:20 0 d-------- C:\sj407

2007-11-29 07:11:50 1080 --a------ C:\WINDOWS\AUTOLNCH.REG

2007-11-29 07:11:48 350208 --a------ C:\WINDOWS\system32\ltkrn70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:48 55296 --a------ C:\WINDOWS\system32\ltfil70n.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:48 93184 --a------ C:\WINDOWS\system32\lftif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:48 111104 --a------ C:\WINDOWS\system32\lfpng70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:48 24576 --a------ C:\WINDOWS\system32\lfpcx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:48 95232 --a------ C:\WINDOWS\system32\Lfkodak.dll

2007-11-29 07:11:48 32768 --a------ C:\WINDOWS\system32\lfgif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:48 35328 --a------ C:\WINDOWS\system32\lffpx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:48 306688 --a------ C:\WINDOWS\system32\Lffpx7.dll <Not Verified; ; Reference Implementation>

2007-11-29 07:11:48 55808 --a------ C:\WINDOWS\system32\lffax70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:48 224768 --a------ C:\WINDOWS\system32\LFCMP70n.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:48 24576 --a------ C:\WINDOWS\system32\lfbmp70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>

2007-11-29 07:11:47 13824 --a------ C:\WINDOWS\system32\reg32.dll <Not Verified; Hewlett-Packard, GHC; Hewlett-Packard, GHC reg32>

2007-11-29 07:11:47 12288 --a------ C:\WINDOWS\system32\hpsmui.dll <Not Verified; Hewlett-Packard; HPSCNMGR Dynamic Link Library>

2007-11-29 07:11:47 16384 --a------ C:\WINDOWS\system32\hpsj32.dll <Not Verified; Hewlett-Packard Company; HP ScanJet Scanners>

2007-11-29 07:11:47 928 --a------ C:\WINDOWS\system32\hpsj1695.dll

2007-11-29 07:11:47 417792 --a------ C:\WINDOWS\system32\hpscntst.dll <Not Verified; Hewlett-Packard; HP ScanJet Scanner Test>

2007-11-29 07:11:47 245760 --a------ C:\WINDOWS\system32\hpscnmgr.dll <Not Verified; Hewlett-Packard; HPSCNMGR Dynamic Link Library>

2007-11-29 07:11:46 669696 --a------ C:\WINDOWS\system32\ipeistor11.dll <Not Verified; Hewlett-Packard Company; IPEISTOR Dynamic Link Library>

2007-11-29 07:11:45 325120 --a------ C:\WINDOWS\system32\ipebase11.dll <Not Verified; Hewlett-Packard Company; IPEBASE Dynamic Link Library>

2007-11-29 07:11:45 66560 --a------ C:\WINDOWS\system32\ipeapi11.dll <Not Verified; Hewlett-Packard Company; IPEAPI Dynamic Link Library>

2007-11-29 07:11:37 0 d-------- C:\SCANJET

2007-11-29 07:11:25 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>

2007-11-29 07:11:08 0 d-------- C:\sj398

2007-11-29 06:06:46 0 d-------- C:\sj404to

2007-11-27 06:08:05 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-11-23 11:26:17 0 d-------- C:\Program Files\QuickTime

-- Find3M Report ---------------------------------------------------------------

2007-12-19 23:51:01 16 --a------ C:\WINDOWS\popcinfo.dat

2007-12-19 23:39:47 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-12-15 16:12:42 0 d-------- C:\Program Files\Google

2007-11-29 08:16:59 0 d-------- C:\Documents and Settings\Owner\Application Data\MailFrontier

2007-11-24 11:31:05 512 --a------ C:\ScanSectorLog.dat

2007-11-23 11:29:32 0 d-------- C:\Program Files\iPod

2007-10-23 05:47:17 0 d-------- C:\Program Files\Java

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 12:04 PM]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]

"CHotkey"="zHotkey.exe" [05/17/2004 07:30 PM C:\WINDOWS\zHotkey.exe]

"ShowWnd"="ShowWnd.exe" [09/19/2003 10:09 AM C:\WINDOWS\ShowWnd.exe]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [11/15/2004 04:04 PM]

"@"="" []

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/17/2005 10:05 PM]

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 09:24 PM]

"SoundMan"="SOUNDMAN.EXE" [12/01/2004 05:54 PM C:\WINDOWS\SOUNDMAN.EXE]

"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [11/10/2004 10:03 AM]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/14/2007 11:43 PM]

"iTunesHelper"="H:\My Music\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM]

"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

"hpsjbmgr"="C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe" []

"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 01:00 PM]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [11/22/2004 04:18 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/9/2007 4:14:36 PM]

Billminder.lnk - D:\Program Files\QUICKEN2007\BILLMIND.EXE [9/1/2007 11:52:49 AM]

Quicken Startup.lnk - D:\Program Files\QUICKEN2007\QWDLLS.EXE [9/1/2007 11:52:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38ca64f9-5a93-11dc-b56e-0013d32d4d40}]

AutoRun\command- M:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2007-12-20 17:27:06 ------------

extra.txt

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0

Architecture: X86; Language: English

CPU 0: AMD Athlon 64 Processor 3400+

Percentage of Memory in Use: 50%

Physical Memory (total/avail): 894.48 MiB / 445.64 MiB

Pagefile Memory (total/avail): 2166.25 MiB / 1758.3 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1919.31 MiB

C: is Fixed (NTFS) - 182.1 GiB total, 92.81 GiB free.

D: is Fixed (FAT32) - 18.67 GiB total, 15.48 GiB free.

E: is Fixed (FAT32) - 4.2 GiB total, 1.01 GiB free.

F: is CDROM (No Media)

G: is CDROM (No Media)

H: is Fixed (FAT32) - 153.35 GiB total, 79.37 GiB free.

I: is Removable (No Media)

J: is Removable (No Media)

K: is Removable (No Media)

L: is Removable (No Media)

\\.\PHYSICALDRIVE1 - SAMSUNG SV2001H - 18.68 GiB - 1 partition

\PARTITION0 (bootable) - Unknown - 18.68 GiB - D:

\\.\PHYSICALDRIVE0 - ST3200021A - 186.31 GiB - 2 partitions

\PARTITION0 (bootable) - Installable File System - 182.1 GiB - C:

\PARTITION1 - Unknown - 4.21 GiB - E:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE6 - HDS72251 6VLAT20 USB Device - 153.38 GiB - 1 partition

\PARTITION0 (bootable) - Unknown - 153.38 GiB - H:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.

Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Security Suite Firewall v7.0.462.000 (Check Point, LTD.)

AV: ZoneAlarm Security Suite Antivirus v7.0.462.000 (Check Point, LTD.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"H:\\My Music\\iTunes\\iTunes.exe"="H:\\My Music\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Owner\Application Data

CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=600539OO9

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Owner

LOGONSERVER=\\600539OO9

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;"D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 0, AuthenticAMD

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=2c00

ProgramFiles=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp

TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp

tvdumpflags=8

USERDOMAIN=600539OO9

USERNAME=Owner

USERPROFILE=C:\Documents and Settings\Owner

windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)

Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"

Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A70000000000}

Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}

Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}

ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe

ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"

ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoRecord\Uninst.isu" -c"C:\Program Files\Canon\PhotoRecord\Program\uninstdll.dll"

Canon PowerShot A40 WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PowerShot A40 WIA\Uninst.isu" -c"C:\Program Files\Canon\PowerShot A40 WIA\UNSTD113.dll"

Canon Utilities PhotoStitch 3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoStitch\Uninst.isu"

Canon Utilities RAW Image Converter --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RAW Image Converter\Uninst.isu"

Canon Utilities RemoteCapture 2.2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RemoteCapture\Uninst.isu"

Canon Utilities ZoomBrowser EX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ZoomBrowser EX\Uninst.isu" -c"C:\Program Files\Canon\ZoomBrowser EX\Program\uninstallutilities.dll"

Citrix Presentation Server Client --> MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}

Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}

HijackThis 2.0.2 --> "D:\Backup\Down Load\HijackThis.exe" /uninstall

HP PrecisionScan LT Software --> C:\SCANJET\PrecisionScanLT\uninstal.exe C:\SCANJET\PrecisionScanLT\uninstal.cfg

iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033

iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}

J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}

Java 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}

Java 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}

LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U

Microsoft Links LS 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft Games\Links LS 2000\Uninst.isu"

Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}

Microsoft Picture It! Premium 10 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM

Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}

Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe

Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\Setup.exe" -l0x9

MultiMedia Software --> C:\Program Files\Video Add-on\uninst.exe

Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Setup.exe" -l0x9

Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}

Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL

Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

Norton Ghost 9.0 --> MsiExec.exe /X{3C759736-8347-4031-BB9C-D75ADFE6B101}

PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall

Quicken 2002 Basic --> C:\WINDOWS\IsUninst.exe -f"D:\Program Files\QUICKEN2007\Uninst.isu" -c"D:\Program Files\QUICKEN2007\uninst.dll"

QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}

RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2

Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE

Recovery Software Suite eMachines --> MsiExec.exe /I{15377C3E-9655-400F-B441-E69F0A6BEAFE}

Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf

Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}

Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) -->

Windows XP Media Center Edition 2005 KB890629 -->

Windows XP Media Center Edition 2005 KB890760 -->

Windows XP Media Center Edition 2005 KB895198 -->

Windows XP Media Center Edition 2005 KB895678 -->

ZoneAlarm Security Suite --> D:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type379 / Error

Event Submitted/Written: 12/16/2007 06:47:05 AM

Event ID/Source: 1001 / Application Error

Event Description:

Fault bucket 00000009.

The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type378 / Error

Event Submitted/Written: 12/16/2007 06:47:00 AM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application iexplore.exe, version 7.0.6000.16574, faulting module mscorie.dll, version 1.1.4322.2407, fault address 0x00005c80.

Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type349 / Error

Event Submitted/Written: 12/09/2007 11:11:02 AM

Event ID/Source: 1002 / Application Hang

Event Description:

Hanging application JewelQuest.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type348 / Error

Event Submitted/Written: 12/09/2007 11:10:52 AM

Event ID/Source: 1001 / Application Hang

Event Description:

Fault bucket 110758212.

Event Record #/Type347 / Error

Event Submitted/Written: 12/09/2007 11:10:43 AM

Event ID/Source: 1001 / Application Hang

Event Description:

Fault bucket 110758212.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type2397 / Warning

Event Submitted/Written: 12/18/2007 09:57:35 PM

Event ID/Source: 36 / W32Time

Event Description:

The time service has not been able to synchronize the system time

for 49152 seconds because none of the time providers has been able to

provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type2374 / Error

Event Submitted/Written: 12/18/2007 07:15:52 AM

Event ID/Source: 7000 / Service Control Manager

Event Description:

The ASPI32 service failed to start due to the following error:

%%2

Event Record #/Type2370 / Error

Event Submitted/Written: 12/18/2007 07:14:19 AM

Event ID/Source: 10005 / DCOM

Event Description:

DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""

in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type2369 / Error

Event Submitted/Written: 12/18/2007 07:06:36 AM

Event ID/Source: 10005 / DCOM

Event Description:

DCOM got error "%%1084" attempting to start the service netman with arguments ""

in order to run the server:

{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type2368 / Error

Event Submitted/Written: 12/18/2007 07:06:34 AM

Event ID/Source: 10005 / DCOM

Event Description:

DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

-- End of Deckard's System Scanner: finished at 2007-12-20 17:27:06 ------------

Thanks again!

Link to post
Share on other sites

Hi,

I will be handling your log now that MoNsTeReNeRgY22 is on vacation. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.

You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.

Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.

These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)

Link to post
Share on other sites

Hi, Sorry it took so long. I'm showing hidden and system files...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:15:01 AM, on 12/25/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

H:\My Music\iTunes\iTunesHelper.exe

D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\QUICKEN2007\QWDLLS.EXE

D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Backup\Down Load\HJTInstall.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5753 bytes

Link to post
Share on other sites

Download ComboFix from Here or Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

That did it...

ComboFix 07-12-21.4 - Owner 2007-12-27 18:53:37.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.474 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

E:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))

.

2007-12-20 17:24 . 2007-12-20 17:24 <DIR> d-------- C:\Deckard

2007-12-18 07:05 . 2007-12-18 07:06 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix

2007-12-16 12:50 . 2007-12-18 07:05 3,712 --a------ C:\WINDOWS\system32\tmp.reg

2007-12-16 12:48 . 2007-12-16 12:49 1,125,659 --a------ C:\SmitfraudFix.exe

2007-12-16 12:41 . 2007-12-16 12:41 <DIR> d-------- C:\HostsXpert

2007-12-15 11:41 . 2007-12-15 16:10 <DIR> d-------- C:\Program Files\WinSpyKiller

2007-11-30 18:53 . 2007-11-30 18:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin

2007-11-30 18:25 . 2007-12-15 16:08 <DIR> d-------- C:\Program Files\Alawar

2007-11-29 08:11 . 2007-12-02 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

2007-11-29 07:25 . 2007-11-29 07:25 <DIR> d-------- C:\sj700

2007-11-29 07:19 . 2007-11-29 07:22 <DIR> d-------- C:\sj653

2007-11-29 07:19 . 2007-11-29 07:19 <DIR> d-------- C:\sj407

2007-11-29 07:19 . 2001-10-16 10:20 53,248 --a------ C:\WINDOWS\system32\hpsjusd.dll

2007-11-29 07:19 . 2001-10-16 10:20 32,768 --a------ C:\WINDOWS\system32\hpsjrreg.exe

2007-11-29 07:17 . 2007-12-26 14:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2007-11-29 07:17 . 2007-11-29 07:17 1,409 --a------ C:\WINDOWS\QTFont.for

2007-11-29 06:06 . 2007-11-29 06:06 <DIR> d-------- C:\sj404to

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-28 00:56 7,363,360 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2007-12-26 20:26 99,308 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2007-12-15 22:12 --------- d-----w C:\Program Files\Google

2007-11-29 14:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\MailFrontier

2007-11-27 12:08 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-11-26 12:47 17,393,684 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_25_22_03_50_full.dmp.zip

2007-11-26 12:46 2,217,469 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip

2007-11-26 12:46 17,139,898 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_25_22_03_37_full.dmp.zip

2007-11-24 17:31 512 ----a-w C:\ScanSectorLog.dat

2007-11-23 17:29 --------- d-----w C:\Program Files\iPod

2007-11-23 17:27 --------- d-----w C:\Program Files\QuickTime

2007-11-22 18:03 17,152,223 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_19_20_05_00_full.dmp.zip

2007-11-14 22:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-09-02 12:12 774,144 ----a-w C:\Program Files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 16:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 12:04]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

"CHotkey"="zHotkey.exe" [2004-05-17 19:30 C:\WINDOWS\zHotkey.exe]

"ShowWnd"="ShowWnd.exe" [2003-09-19 10:09 C:\WINDOWS\ShowWnd.exe]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 16:04]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 22:05]

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]

"SoundMan"="SOUNDMAN.EXE" [2004-12-01 17:54 C:\WINDOWS\SOUNDMAN.EXE]

"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-10 10:03]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]

"iTunesHelper"="H:\My Music\iTunes\iTunesHelper.exe" [2007-11-15 13:11]

"hpsjbmgr"="C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe" []

"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 16:14:36]

Billminder.lnk - D:\Program Files\QUICKEN2007\BILLMIND.EXE [2007-09-01 11:52:49]

Quicken Startup.lnk - D:\Program Files\QUICKEN2007\QWDLLS.EXE [2007-09-01 11:52:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-11-10 09:30]

R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 09:49]

R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38ca64f9-5a93-11dc-b56e-0013d32d4d40}]

\Shell\AutoRun\command - M:\LaunchU3.exe -a

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

"2007-12-21 15:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-27 18:56:41

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-12-27 18:57:36

.

2007-12-12 12:27:42 --- E O F ---

_____________________________________________________________________________

HJT log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:00:14 PM, on 12/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

H:\My Music\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\QUICKEN2007\QWDLLS.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Real\RealArcade\RNArcade.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

D:\Backup\Down Load\HJTInstall.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5637 bytes

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

C:\WINDOWS\QTFont.qfn

C:\WINDOWS\QTFont.for

Folder::

C:\sj700

C:\sj653

C:\sj407

C:\sj404to

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Please tell me how the computer is running.

Link to post
Share on other sites

The computer seems to be running fine now, Thanks!

ComboFix 07-12-21.4 - Owner 2007-12-29 6:44:45.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.489 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

* Created a new restore point

FILE

C:\WINDOWS\QTFont.for

C:\WINDOWS\QTFont.qfn

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\sj404to

C:\sj404to\hpcd.sjp

C:\sj404to\setup.exe

C:\sj404to\usdsloc.dll

C:\sj407

C:\sj407\ipesrcs.src

C:\sj407\Setup.exe

C:\sj407\updatloc.dll

C:\sj653

C:\sj700

C:\sj700\hpcd.sjp

C:\sj700\HpGenUI.dll

C:\sj700\ppt8dll.dll

C:\sj700\Setup.exe

C:\sj700\updatloc.dll

C:\WINDOWS\QTFont.for

C:\WINDOWS\QTFont.qfn

.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))

.

2007-12-20 17:24 . 2007-12-20 17:24 <DIR> d-------- C:\Deckard

2007-12-18 07:05 . 2007-12-18 07:06 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix

2007-12-16 12:50 . 2007-12-18 07:05 3,712 --a------ C:\WINDOWS\system32\tmp.reg

2007-12-16 12:48 . 2007-12-16 12:49 1,125,659 --a------ C:\SmitfraudFix.exe

2007-12-16 12:41 . 2007-12-16 12:41 <DIR> d-------- C:\HostsXpert

2007-12-15 11:41 . 2007-12-15 16:10 <DIR> d-------- C:\Program Files\WinSpyKiller

2007-11-30 18:53 . 2007-11-30 18:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin

2007-11-30 18:25 . 2007-12-15 16:08 <DIR> d-------- C:\Program Files\Alawar

2007-11-29 08:11 . 2007-12-02 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

2007-11-29 07:19 . 2001-10-16 10:20 53,248 --a------ C:\WINDOWS\system32\hpsjusd.dll

2007-11-29 07:19 . 2001-10-16 10:20 32,768 --a------ C:\WINDOWS\system32\hpsjrreg.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-29 12:46 7,445,792 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2007-12-28 01:07 99,740 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2007-12-15 22:12 --------- d-----w C:\Program Files\Google

2007-11-29 14:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\MailFrontier

2007-11-27 12:08 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-11-26 12:47 17,393,684 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_25_22_03_50_full.dmp.zip

2007-11-26 12:46 2,217,469 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip

2007-11-26 12:46 17,139,898 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_25_22_03_37_full.dmp.zip

2007-11-24 17:31 512 ----a-w C:\ScanSectorLog.dat

2007-11-23 17:29 --------- d-----w C:\Program Files\iPod

2007-11-23 17:27 --------- d-----w C:\Program Files\QuickTime

2007-11-22 18:03 17,152,223 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_19_20_05_00_full.dmp.zip

2007-11-14 22:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-09-02 12:12 774,144 ----a-w C:\Program Files\RngInterstitial.dll

.

((((((((((((((((((((((((((((( snapshot@2007-12-27_18.56.54.76 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-12-27 05:42:41 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat

+ 2007-12-29 07:07:24 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat

- 2007-12-28 00:51:18 389,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat

+ 2007-12-29 12:43:25 392,628 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat

- 2007-12-27 16:02:34 7,302,948 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat

+ 2007-12-29 10:00:39 7,361,875 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 16:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 12:04]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

"CHotkey"="zHotkey.exe" [2004-05-17 19:30 C:\WINDOWS\zHotkey.exe]

"ShowWnd"="ShowWnd.exe" [2003-09-19 10:09 C:\WINDOWS\ShowWnd.exe]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 16:04]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 22:05]

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]

"SoundMan"="SOUNDMAN.EXE" [2004-12-01 17:54 C:\WINDOWS\SOUNDMAN.EXE]

"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-10 10:03]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]

"iTunesHelper"="H:\My Music\iTunes\iTunesHelper.exe" [2007-11-15 13:11]

"hpsjbmgr"="C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe" []

"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 16:14:36]

Billminder.lnk - D:\Program Files\QUICKEN2007\BILLMIND.EXE [2007-09-01 11:52:49]

Quicken Startup.lnk - D:\Program Files\QUICKEN2007\QWDLLS.EXE [2007-09-01 11:52:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-11-10 09:30]

R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 09:49]

R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38ca64f9-5a93-11dc-b56e-0013d32d4d40}]

\Shell\AutoRun\command - M:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

"2007-12-28 15:40:56 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-29 06:46:50

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-12-29 6:47:17

C:\ComboFix2.txt ... 2007-12-27 18:57

.

2007-12-12 12:27:42 --- E O F ---

-----------------------------------------------------------------------------------------------------

hjt log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:21:44 AM, on 12/29/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

H:\My Music\iTunes\iTunesHelper.exe

D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\QUICKEN2007\QWDLLS.EXE

D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

D:\Backup\Down Load\HJTInstall.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5773 bytes

Link to post
Share on other sites

Hi,

Congratulations, your log is now clean. :thumbsup:

Time for some housekeeping

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    • CF_Cleanup.png

    [*] When shown the disclaimer, Select "2"

The above procedure will:

  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present

    [*] Reset the clock settings.

    [*] Hide file extensions, if required.

    [*] Hide System/Hidden files, if required.

    [*] Reset System Restore.

A well protected computer should have at least an Anti Virus and Firewall, an Anti Spyware is also great addition to your computers security. Here is a list of tools I like to recommend to people that will help ensure safe surfing on the internet, and to help you from getting infected again.

Note: DO NOT install more than one antivirus or Firewall program. They will conflict, and provide less protection, not more. Uninstall any existing Anti Virus\Firewall programs if you're going to install a new one.

Free Online Scans:

Free Active X and Java based online scans. You can use these scans from other companies and it will not interfere with your current Anti Virus. If you find that you are infected, post a Hijack This log in the forums.

Free Temp Cleaners:

Use these tools to clean temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ATF cleaner recommended.

Free Firewall Downloads:

You must have a Firewall installed on your computer. This helps stop anything from leaving or entering your computer without your permission.

Free Anti Spyware Downloads:

An Antispyware is a great tool that can help remove infections along side your Anti Virus. Some include real time protection, scheduled scans and automatic definition updates.

Free Anti Virus Downloads:

A must have for all computers. Avast! recommended.

Other:

  • SpywareGuard
    Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd
    This tool puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • Memtest86
    Great memory testing software.
  • CPU-Z
    This application gives detailed information about your system in a nice layout
  • Speedfan
    Returns and monitors system temperatures.
  • Windows Updates
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

You can now Rehide your system files by using these instructions HERE

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read THIS article by Tony Klein.

If you have any other problems or questions be sure to ask. :)

Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.