Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Please help me! I have an HJT log. Bombarded by pop-ups.... Please help me! I have an HJT log. Bombarded by pop-ups....
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 10-11-2006, 12:58 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 11
OS: XP


Please help me! I have an HJT log. Bombarded by pop-ups....
Please help. My computer is a mess. I work from home online and have lost todays work. I don't know what to do... Here is my hjt log... Thanks so much...

Logfile of HijackThis v1.99.1
Scan saved at 12:43:39 PM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\cmFj\command.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\v1201.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\jguawkhA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\testtestt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\Program Files\Common Files\{0706EF78-0959-1033-0829-030303180001}\Update.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\CMFibula\CMFibula.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\taskdir.exe
C:\windows\system32\_mzu_stonedrv3.exe
C:\DOCUME~1\rac\LOCALS~1\Temp\1116384.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\jguawkh.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/re...c=1c02&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yipde.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jewhoei.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\wwgoqr.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ms04950321178] C:\WINDOWS\ms04950321178.exe
O4 - HKLM\..\Run: [hqdqew] C:\WINDOWS\system32\iyyyey.exe reg_run
O4 - HKLM\..\Run: [jguawkhA] C:\WINDOWS\jguawkhA.exe
O4 - HKLM\..\Run: [ynba34fd] RUNDLL32.EXE w206b181.dll,n 005a34f800000003206b181
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\Run: [txcvagf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\txcvagf.dll,vvbpsi
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\rac\LOCALS~1\Temp\113072.exe
O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\rac\LOCALS~1\Temp\1116384.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - Global Startup: hhipft.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\tod32.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\sexotq.dll
O21 - SSODL: gcfoTi - {0706EF79-ADAC-45D3-A375-63424D197A8E} - C:\WINDOWS\system32\axql.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\cmFj\command.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jguawkh.exe
hinemans is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-12-2006, 08:08 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 24,442
OS: 2000 Pro; XP Pro; XP Home


Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

This machine is pretty badly infected, as you already know. This will likely take several passes and several hours of effort on your part to cleanse, and there's still no guarantee that your OS will operate as normal again, due the to amount of infection that's been present. We shall endeavor to do our best to help you.

You also have a Trojan which attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP. I recommend you change your passwords and check your accounts for unusual activity.

Round 1

---------------------------------------------------------------------------------------------
  1. Download combofix from one of these locations:
  2. Double click on combofix.exe & follow the prompts.
  3. When finished, it shall produce a log for you. Post that log in your next reply, at the end of all this work.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Round 2

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum at the end of all this work.

Round 3

Download AVG Anti-Spyware
  • Install AVG Anti-Spyware
  • Double-click the icon on Desktop to launch AVG Anti-Spyware
You will need to update AVG Anti-Spyware to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

Do not do anything with these yet!

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Internet Optimizer
PSDream

---------------------------------------------------------------------------------------------


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\wwgoqr.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ms04950321178] C:\WINDOWS\ms04950321178.exe
O4 - HKLM\..\Run: [hqdqew] C:\WINDOWS\system32\iyyyey.exe reg_run
O4 - HKLM\..\Run: [jguawkhA] C:\WINDOWS\jguawkhA.exe
O4 - HKLM\..\Run: [ynba34fd] RUNDLL32.EXE w206b181.dll,n 005a34f800000003206b181
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\Run: [txcvagf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\txcvagf.dll,vvbpsi
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\rac\LOCALS~1\Temp\113072.exe
O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\rac\LOCALS~1\Temp\1116384.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - Global Startup: hhipft.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\sexotq.dll
O21 - SSODL: gcfoTi - {0706EF79-ADAC-45D3-A375-63424D197A8E} - C:\WINDOWS\system32\axql.dll


Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following Files/Folders if they exist:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe
C:\Program Files\Internet Optimizer
C:\Program Files\PSDream
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cmFj
C:\WINDOWS\jguawkh.exe
C:\WINDOWS\jguawkhA.exe
C:\WINDOWS\ms04950321178.exe
c:\windows\system32\_mzu_stonedrv3.exe
C:\WINDOWS\system32\iyyyey.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\testtestt.exe
C:\WINDOWS\system32\txcvagf.dll
C:\WINDOWS\system32\wwgoqr.exe
C:\WINDOWS\v1201.exe

Locate these via Start>Search and delete them if they exist:

hhipft.exe
w206b181.dll




---------------------------------------------------------------------------------------------

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it.
  • Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

---------------------------------------------------------------------------------------------

open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

---------------------------------------------------------------------------------------------

Once back in normal Windows:

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.


---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner
  1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run Combofix once more, using the same instructions as before. It will create a second log. Please post both ComboFix logs. They will be located at C:\ComboFix.txt and C:\ComboFix2.text

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

ComboFix (both logs)
AVG Anti-Spyware
SDFix
Panda
HJT
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum.

Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-18-2006, 10:22 AM   #3 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 11
OS: XP


Requested Logs
Sorry for the delay. Was out of town and it took awhile to go through all the steps.. Here are the logs...
rac - 06-11-18 13:17:03.48 Service Pack 2
ComboFix 06.10.11 - Running from: "C:\Documents and Settings\rac\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-18 to 2006-11-18 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-18 13:13 -------- d-------- C:\Program Files\HijackThis
2006-11-18 12:30 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-18 12:30 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-18 12:26 -------- d-------- C:\Program Files\Internet Explorer
2006-11-18 12:19 -------- d-------- C:\Program Files\Common Files\Funk Software
2006-10-16 19:44 -------- d---s---- C:\Documents and Settings\rac\Application Data\Microsoft
2006-10-16 18:19 -------- d-------- C:\Program Files\WebSiteViewer
2006-10-16 18:19 -------- d-------- C:\Program Files\microsoft frontpage
2006-10-16 12:27 -------- d-------- C:\Program Files\CleanUp!
2006-10-16 11:34 4337 --a------ C:\WINDOWS\hhotke.dll
2006-10-16 09:05 -------- d-------- C:\Program Files\Common Files
2006-10-14 09:35 -------- d-------- C:\Program Files\Napster
2006-10-14 09:35 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-14 09:11 -------- d-------- C:\Documents and Settings\rac\Application Data\Image Zone Express
2006-10-12 00:00 -------- d-------- C:\Program Files\QuickTime
2006-10-12 00:00 -------- d-------- C:\Program Files\PSDream
2006-10-12 00:00 -------- d-------- C:\Program Files\iTunes
2006-10-11 22:58 -------- d-------- C:\Program Files\Common Files\HP
2006-10-11 22:24 -------- d-------- C:\Documents and Settings\rac\Application Data\HP
2006-10-11 22:22 -------- d-------- C:\Program Files\HP
2006-10-11 22:19 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-11 18:57 1233 --a------ C:\WINDOWS\system32\ynba34fd.sys
2006-10-11 18:17 -------- d-------- C:\Program Files\Grisoft
2006-10-11 15:40 589 --a------ C:\WINDOWS\gtffv.dll
2006-10-11 08:52 157696 --a------ C:\WINDOWS\system32\sexotq.dll
2006-10-11 08:48 94720 --a------ C:\WINDOWS\system32\txcvagf.dll
2006-10-11 08:48 72704 --a------ C:\WINDOWS\system32\yltpkfe.dll
2006-10-10 19:21 517 --a------ C:\Program Files\Common Files\mewop
2006-10-10 19:21 183478 --a------ C:\WINDOWS\srvdbjwngg.exe
2006-10-10 19:20 217276 --a------ C:\WINDOWS\srvpemrnsn.exe
2006-10-10 19:20 -------- d-------- C:\Program Files\MSN
2006-10-04 10:24 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-10-03 18:14 -------- d-------- C:\Documents and Settings\rac\Application Data\NetMedia Providers
2006-10-03 14:12 -------- d-------- C:\Documents and Settings\rac\Application Data\MSN6
2006-10-02 20:11 15360 --a------ C:\WINDOWS\system32\XPLNMon.dll
2006-09-15 16:16 53248 --a------ C:\WINDOWS\uni_e6h.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CMFibula"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"SbUsb AudCtrl"="RunDll32 sbusbdll.dll,RCMonitor"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"Explorer 2238"="C:\\WINDOWS\\system32\\dxvwygcv.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"jguawkhA"="C:\\WINDOWS\\jguawkhA.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server 2238"="{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIModeChange]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ati2mdxx"
"hkey"="HKLM"
"command"="Ati2mdxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CARPService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="carpserv"
"hkey"="HKLM"
"command"="carpserv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Cpqset]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cpqset"
"hkey"="HKLM"
"command"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Display Settings]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hptasks"
"hkey"="HKLM"
"command"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DVDUpgrade]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDUpgrd"
"hkey"="HKLM"
"command"="DVDUpgrd.exe /async"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PreloadApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="setup"
"hkey"="HKLM"
"command"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QT4HPOT]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OneTouch"
"hkey"="HKLM"
"command"="C:\\Program Files\\HPQ\\One-Touch\\OneTouch.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="soft"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\soft.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\srmclean]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="srmclean"
"hkey"="HKLM"
"command"="C:\\Cpqs\\Scom\\srmclean.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Web Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="96a1025c"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\96a1025c.exe"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\WebReg Deskjet F300 series.job

Completion time: 06-11-18 13:17:33.98
ComboFix.txt
ComboFix02.txt
ComboFix2.txt
ComboFix3.txt


Incident Status Location

Spyware:spyware/apropos Not disinfected c:\windows\system32\auto_update_uninstall.log
Adware:adware/cws.searchmeup Not disinfected c:\windows\system32\commands.ini
Spyware:spyware/linkreplacer Not disinfected c:\windows\system32\lmdv.bin
Adware:adware/midaddle Not disinfected c:\windows\system32\PreUninstall.exe
Adware:adware/ncase Not disinfected c:\windows\system32\saie.log
Virus:trj/abwiz.a Disinfected Operating system
Adware:adware/adsmart Not disinfected c:\windows\system32\vx.tll
Adware:adware/portalscan Not disinfected c:\windows\system32\winupdt.008
Adware:adware/ist.yoursitebar Not disinfected c:\windows\downloaded program files\ysbactivex.inf
Adware:adware/ipinsight Not disinfected c:\windows\inf\farmmext.inf
Virus:trj/torpig.a Disinfected Operating system
Adware:adware/delfinmedia Not disinfected c:\keys.ini
Adware:adware/isearch Not disinfected c:\windows\delprot.ini
Adware:adware/ezula Not disinfected c:\windows\eZinstall.exe
Adware:adware/gator Not disinfected c:\windows\GatorHDPlugin.log
Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
Adware:adware/enhancemsearch Not disinfected c:\windows\searchen.dat
Adware:adware/dealhelper Not disinfected c:\windows\system32\DealHelper
Adware:adware/savenow Not disinfected c:\windows\system32\wsxsvc
Spyware:spyware/surfsidekick Not disinfected c:\program files\SurfSideKick 2
Adware:adware/topconvert Not disinfected c:\program files\TopConverting
Dialer:dialer.bb Not disinfected c:\program files\WebSiteViewer
Adware:adware/elitebar Not disinfected c:\windows\EliteSideBar
Adware:adware/transponder Not disinfected c:\windows\inst
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/popper Not disinfected Windows Registry
Adware:adware/bookedspace Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/secure32 Not disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:trj/downloader.bcn Disinfected Operating system
Adware:adware/stiebar Not disinfected Windows Registry
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.atwola.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.revenue.net/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\rac\Application Data\Mozilla\Firefox\Profiles\18zbstjl.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\rac\Cookies\rac@stats.drivecleaner[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\rac\Desktop\SDFix\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\rac\Desktop\SDFix.zip[SDFix/apps/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\rac\Desktop\SmitfraudFix(2)\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\rac\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/eZula Not disinfected C:\Documents and Settings\rac\Start Menu\Programs\TopText iLookup\My Keywords.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\rac\Start Menu\Programs\TopText iLookup\My Preferences.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\rac\Start Menu\Programs\TopText iLookup\TopText Button Show - Hide.lnk
Spyware:Spyware/7r7t Not disinfected C:\Program Files\PSDream\Uninstall.exe
Virus:Trj/Qhost.Y Not disinfected C:\Program Files\support.com\backup\ho\hosts\378_52ed308b2_[hosts]
Adware:Adware/CWS.008k Not disinfected C:\WINDOWS\blank.htm
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\EliteToolBar\xml\images\casino-ico.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\EliteToolBar\xml\images\casino.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\EliteToolBar\xml\images\dating-ico.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\EliteToolBar\xml\images\dating.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs-ico.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\EliteToolBar\xml\images\fav-ico.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\EliteToolBar\xml\images\fav.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\EliteToolBar\xml\images\virus.bmp
Adware:Adware/BTGrab Not disinfected C:\WINDOWS\inf\btgrab.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\zserv.inf
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvdbjwngg.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvpemrnsn.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\uni_e6h.exe



SDFix: Version 1.28
-------------------

Scan run on:
06-10-16

Time:
12:24


Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\rac\Desktop\SDFix\SDFix

Stage One...

Checking Services...

Name:
-----


Path:
----





Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
--------------------------

C:\WINDOWS\system32\adir.dll
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\taskdir~.exe

Backing Up and Removing any Files Found...

Final Check:

Remaining Services:
------------------

Remaining Files:
--------------



*Any removed Files are saved in the SDFix\backups Folder*

*FINISHED*


SDFix: Version 1.28
-------------------

Scan run on:
06-10-16

Time:
12:24


Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\rac\Desktop\SDFix\SDFix

Stage One...

Checking Services...

Name:
-----


Path:
----





Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
--------------------------

C:\WINDOWS\system32\adir.dll
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\taskdir~.exe

Backing Up and Removing any Files Found...

Final Check:

Remaining Services:
------------------

Remaining Files:
--------------




*Any removed Files are saved in the SDFix\backups Folder*

*FINISHED*

Logfile of HijackThis v1.99.1
Scan saved at 13:13, on 06-11-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\system32\dxvwygcv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [jguawkhA] C:\WINDOWS\jguawkhA.exe
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs:
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\DOCUME~1\rac\LOCALS~1\Temp\29914\explorer.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jguawkh.exe (file missing)

I cannot find my Panda log.... I will keep looking. Thanks for all the help!!!! Brenda
hinemans is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-18-2006, 09:53 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 24,442
OS: 2000 Pro; XP Pro; XP Home


Well, now...this is still one seriously messed up system. I hope we can clean it all. We shall try. First, I need the rest of the logs from the tools I asked you to run.

I have the Panda log. What I don't have is the AVG Anti-Spyware log. Did you run it? It will be located at C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports

I also require the log from SmitfraudFix. Did you run it? It should be located at C:\rapport.txt

I also recommend you keep this system disconnected from the internet except for any downloads and communication until it's clean. If you can communicate via another clean system, please do that and transfer any logs from the infected machine to your communication machine via USB stick drive, floppy, or CD.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum.

Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-19-2006, 09:08 AM   #5 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 11
OS: XP


Missing Log 1st half
Hello! I think these are what you needed... Whew! I sure hope we can get this done! I sure appreciate your help! Thanks, Brenda
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:22 06-10-16

+ Scan result:



C:\Program Files\180Solutions\sais.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Program Files\180Solutions\saishook.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\gvahkr.exe.bak -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP1\A0044322.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\AutoUpdate -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls\AI_14-02-2005.log -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls\CxtPls.dll -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls\CxtPls.exe -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls\ProxyStub.dll -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls\WinGenerics.dll -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls\ace.dll -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls\atl.dll -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls\data.bin -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\CxtPls\uninstaller.exe -> Adware.Apropos : Cleaned with backup (quarantined).
C:\WINDOWS\cxtpls_loader.exe -> Adware.Apropos : Cleaned with backup (quarantined).
C:\WINDOWS\system32\auto_update_uninstall.exe -> Adware.Apropos : Cleaned with backup (quarantined).
C:\WINDOWS\inst\3p_1.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\randreco.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\WINDOWS\BTGrab.dll -> Adware.BiSpy : Cleaned with backup (quarantined).
C:\WINDOWS\ZServ.dll -> Adware.BiSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP1\A0034571.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP1\A0044183.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP1\A0044184.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32p.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5 -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Program Files\BraveSentry -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\Program Files\BraveSentry\BraveSentry.lic -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\Program Files\BraveSentry\Uninstall.exe -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP1\A0034569.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP1\A0044200.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP1\A0044201.exe -> Adware.