HJT Log, Trojan found, web pages not connecting or slow and computer freezing! - Page 2

disco20 · 04-30-2006, 10:25 AM

Ried,

1.) The Ewido trial has ended, so the ewido Guard realtime protection say n/a now.

2.) Prevx1 does not have a drop-down menu that I could readily find, so I just shutdown the whole program

3.) I ran RapidBlaster Killer and it came up with the message: "No RapidBlaster Porcesses detected. (04-25-2006)

4.) I ran RapidBlaster Killer and it came up with the message: "No RapidBlaster Porcesses detected. (04-29-2006)

5.) I ran Stinger next, but I forgot to turn off Avast and halfway through a warnign poped up that saying a virus had been found at:

C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll
The Malware: Win32:CTX

I deleted it and let the scan finish.
After the scan was completed no indication that any virus' were present was avaliable. It just said:

Number of clean files: 203471

6.) For Pocket Killbox I did the following:
- Followed your directions as given down to the "Paste from Clipboard". Here when I tried to Copy and Paste the c:\Windows\System32\winscntrl.exe file it would not copy from the Clipboard, so I pasted it into the "Full Path of File to Delete" Box, but unlike the other two files it was not recognized by a blue name underneath the box. I never recieved a message stating "Click NO at the Pending Operations prompt." and I said no to the immediate reboot.

7.) I then realized I had not started in Safe Mode and restarted in Safe Mode. I retried to run Killbox, but I had to individually put each file in the box, run the program exit it and repeat the steps again.

8.) I cleared all the cookies

9.) I ran a ewido scan. The log is below.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:03:08 AM, 4/30/2006
+ Report-Checksum: E0F8A932

+ Scan result:

C:\WINDOWS\SYSTEM32\eraseme_53055.exe -> Backdoor.SdBot.aoy : Cleaned with backup

::Report End

10.) I was trying to install some Windows updates after restarting and Avast popped this up in the middle of installation:
Sign of "Win32:CTX" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\FIFOED\A0039980.DLL" file

11.) I tried to run Panda Scan, but after I would select my computer it would just stop, it would refuse to scan. I went to run a Kapersky scan and it did the same as Panda. I am unsure of what to do now.

12.) Below is another HiJack This log.

Logfile of HijackThis v1.99.1
Scan saved at 12:23:50 PM, on 4/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Notepad.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC1A313-FDED-4C18-8214-67618808CFA9}: NameServer = 204.116.57.2 206.74.254.2
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

disco20 · 04-30-2006, 11:07 AM

Just to let you know this just popped up:

eraseme_70088.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

Ried · 04-30-2006, 05:46 PM

Ok Scott, this is what I want you to do.

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't carry out these instructions until you are ready. With that said (when ready):

1. Please download The Avenger to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

We'll use this later.

Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.

Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post that log here

---------------------------------------

If you'll notice, the eraseme...file keeps changing on us. Ewido cleans it, and it simply changes names. Navigate to C:\Windows\System32 and look for any file beginning with eraseme_

Write down the full file name that you find and post it here for me along with the Silent Runners and Startdreck logs.

Leave your PC on--do NOT reboot or the name will change again.

disco20 · 04-30-2006, 07:13 PM

Ried,

Once again, thanks for the enourmous amount of help! I truly appreciate it.

1.) I downloaded Avenger and it is currently sitting on my desktop unzipped and waiting.

2.) I disabled Avast and Prex1.

3.) I ran SilentRunners.vbs the results are below

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"type32" = ""C:\Program Files\Microsoft IntelliType Pro\type32.exe"" [MS]
"IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\point32.exe"" [MS]
"DU Meter" = "C:\Program Files\DU Meter\DUMeter.exe" ["Hagel Technologies"]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"PrevxOne" = "C:\Program Files\Prevx1\PXConsole.exe" ["Prevx"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]
"RoxioAudioCentral" = ""C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"" ["Roxio, Inc."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"hppwrsav" = "C:\SCANJET\PrecisionScanLT\hppwrsav.exe" [null data]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"Dit" = "Dit.exe" [null data]
"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" ["Creative Technology Ltd"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP\SmartHook.dll" ["SmartFTP"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {HKLM...CLSID} = "My Media"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{00020000-0000-1011-8004-0000C06B5161}" = "WIBU-SYSTEMS Shell Extension"
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{00020000-0000-1011-8004-0000C06B5161}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Desktop Background.bmp"

Startup items in "Scott Strickler" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HotSync Manager" -> shortcut to: "C:\Palm\HOTSYNC.EXE" ["Palm, Inc."]

Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"Disk Defragmenter" -> launches: "C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 21
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"
-> {HKLM...CLSID} = "Microsoft CommBand"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{D6A116E7-5906-42E4-87F6-E7E15936415E}\(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{DD6687B5-CB43-4211-BFC9-2942CCBDCB3E}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.citcom.net

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
MSSQL$NR2005, MSSQL$NR2005, "C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005" [MS]
NeatReceipts Auto Backup, NeatReceipts Auto Backup, "C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe" [null data]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 50 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 20 seconds.
---------- (total run time: 277 seconds)

4.) I then ran StartDreck . The log is below.

StartDreck (build 2.1.7 public stable) - 2006-04-30 @ 21:10:03 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Scott Strickler at STRICKLERS

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
*cnkdsk=C:\WINDOWS\System32\cnkdsk.exe
*Windows installer=C:\winstall.exe
*pro=c:\tool2.exe
»RunOnce
»Local Machine
»Run
*type32="C:\Program Files\Microsoft IntelliType Pro\type32.exe"
*IntelliPoint="C:\Program Files\Microsoft IntelliPoint\point32.exe"
*DU Meter=C:\Program Files\DU Meter\DUMeter.exe
*WinampAgent=C:\Program Files\Winamp\winampa.exe
*Google Desktop Search="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
*PrevxOne=C:\Program Files\Prevx1\PXConsole.exe
*avast!=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
*UpdReg=C:\WINDOWS\Updreg.exe
*SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
*RoxioDragToDisc="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
*RoxioAudioCentral="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
*NeroCheck=C:\WINDOWS\system32\NeroCheck.exe
*hppwrsav=C:\SCANJET\PrecisionScanLT\hppwrsav.exe
*HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
*Dit=Dit.exe
*BJCFD=C:\Program Files\BroadJump\Client Foundation\CFD.exe
*BCMSMMSG=BCMSMMSG.exe
*AHQInit=C:\Program Files\Creative\SBLive\Program\AHQInit.exe
*Zone Labs Client=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=Notepad.exe %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=
*MoneySide.BrowserHelperObject.11/{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
`InprocServer32=C:\Program Files\Microsoft Money\System\mnyside.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
`InprocServer32=
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Start Page=http://www.phishhook.com/
+SearchUrl
*provider=gogl
*=http://www.google.com/keyword/%s
»Default User
*Default_Page_URL=http://www.dellnet.com
*First Home Page=http://start.earthlink.net
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
»Local Machine
*Default_Page_URL=http://www.citcom.net
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Search Page=http://www.google.com
*Start Page=http://www.dellnet.com
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://www.google.com/ie
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Scott Strickler\Start Menu\Programs\Startup\DESKTOP.INI
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /TUTag=IBWQMW
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
`device=C:\PROGRA~1\ALWILS~1\Avast4\aswmonds.sys
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL=C:\WINDOWS\System32\atl.dll
`C:\WINDOWS\System32\atl.dll=C:\WINDOWS\System32\atl.tmp
*C:\WINDOWS\hosts
`127.0.0.5 makethemcry.com
`127.0.0.5 loudcash.com
`127.0.0.5 iframestat.com
`127.0.0.5 toolbarpartner.com
`127.0.0.5 hqcash.com
`127.0.0.5 verybigcash.com
`127.0.0.5 makethemcry.com
`127.0.0.5 moviepartnership.com
`127.0.0.5 callmachine.com
`127.0.0.5 regcash.com
`127.0.0.5 toolbarpartner.com
`127.0.0.5 klikrevenue.com
`127.0.0.5 p2dll.com
`127.0.0.5 t73.com
`127.0.0.5 www.makethemcry.com
`127.0.0.5 www.loudcash.com
`127.0.0.5 www.iframestat.com
`127.0.0.5 www.toolbarpartner.com
`127.0.0.5 www.hqcash.com
`127.0.0.5 www.verybigcash.com
`127.0.0.5 www.makethemcry.com
`127.0.0.5 www.moviepartnership.com
`127.0.0.5 www.callmachine.com
`127.0.0.5 www.regcash.com
`127.0.0.5 www.toolbarpartner.com
`127.0.0.5 www.klikrevenue.com
`127.0.0.5 www.p2dll.com
`127.0.0.5 www.t73.com
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\NOTEPAD.EXE
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\TASKMAN.EXE
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\WINHLP32.EXE
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+420=\SystemRoot\System32\smss.exe
+476=\??\C:\WINDOWS\system32\csrss.exe
+504=\??\C:\WINDOWS\system32\winlogon.exe
+548=C:\WINDOWS\system32\services.exe
+560=C:\WINDOWS\system32\lsass.exe
+736=C:\WINDOWS\system32\svchost.exe
+780=C:\WINDOWS\System32\svchost.exe
+896=C:\WINDOWS\System32\svchost.exe
+920=C:\WINDOWS\System32\svchost.exe
+1020=C:\WINDOWS\system32\spoolsv.exe
+1152=C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
+1168=C:\Program Files\Alwil Software\Avast4\ashServ.exe
+1196=C:\WINDOWS\System32\cisvc.exe
+1208=C:\WINDOWS\System32\CTsvcCDA.EXE
+1264=C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
+1556=C:\WINDOWS\System32\svchost.exe
+1572=C:\WINDOWS\System32\wdfmgr.exe
+1608=C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
+1736=C:\WINDOWS\System32\MsPMSPSv.exe
+1772=C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
+2148=C:\WINDOWS\System32\cidaemon.exe
+2616=C:\WINDOWS\Explorer.EXE
+2728=C:\Program Files\Microsoft IntelliType Pro\type32.exe
+2784=C:\WINDOWS\System32\devldr32.exe
+2804=C:\Program Files\Microsoft IntelliPoint\point32.exe
+2816=C:\Program Files\DU Meter\DUMeter.exe
+2860=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
+2888=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+2936=C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
+2964=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
+2996=C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
+3036=C:\SCANJET\PrecisionScanLT\hppwrsav.exe
+3064=C:\WINDOWS\Dit.exe
+3080=C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
+3092=C:\Program Files\BroadJump\Client Foundation\CFD.exe
+3100=C:\WINDOWS\DitExp.exe
+3108=C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
+3136=C:\WINDOWS\BCMSMMSG.exe
+3276=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
+3360=C:\Palm\HOTSYNC.EXE
+3852=C:\Program Files\Mozilla Firefox\firefox.exe
+348=C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
+1792=C:\WINDOWS\Notepad.exe
+2064=C:\Documents and Settings\Scott Strickler\Desktop\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

5.) Here are the eraseme file names:

eraseme_63381.exe

and

eraseme_70088.exe

Ried · 04-30-2006, 08:54 PM

Hi Scott,

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to Delete:

C:\Windows\System32\eraseme_63381.exe
C:\Windows\System32\eraseme_70088.exe
C:\WINDOWS\System32\cnkdsk.exe
C:\winstall.exe
c:\tool2.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply[b]

---------------------------------

See if you can complete an online scan at Panda and post the results here along with the avenger.txt and a new HijackThis log.

How is your system behaving now?

disco20 · 05-01-2006, 05:53 AM

Ried,
My system is running ALOT better. I appreciate your help. I am at work now, so all the scans and such are not completed yet. I do have one concern. Once I restarted after using Avenger (I had to manually restart, but Avenger did shut the computer down). I go another virus warning from Avast, I will post the exact location this evening but it was another Win32.CTX file, any help on ridding my computer of this would be marvelous. Thanks Again.

Ried · 05-01-2006, 07:43 AM

If it's in either of these locations, as reported earlier by Avast, no need to worry.

Quote:

C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll
The Malware: Win32:CTX (This a false positive detection caused by Panda's on-line scanner not encrypting its virus signature files)

Sign of "Win32:CTX" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\FIFOED\A0039980.DLL" file (We'll take care of clearing the System Restore when we are through here.)

You can put those files into Avast's the list of exclusions, so they will not be scanned anymore.

disco20 · 05-01-2006, 07:51 AM

Ried,
Pardon my ignorance, but is the Win32:CTX something to not worry about?

Ried · 05-01-2006, 08:09 AM

Not if it's in the locations I just listed above.

Avast is merely detecting the signature files Panda uses to detect that virus. Anything in System Restore is locked away at the moment.

disco20 · 05-01-2006, 06:35 PM

Ried,

I cannot get the Panda ActiveScan (never starts after I click on My Computer) or the Kapersky scans to work (Refuses to do anything after I hit accept, but will close the window when I hit decline). Prex1 is off, ZoneAlarm is off, Avast is off.

Also do you feel that Avast is the best free Anti-Viral program or should I switch to AVG/

Thanks Again,

Scott

disco20 · 05-01-2006, 07:51 PM

Ried,

I was running Spybot and I wanted to post my log as not all the files would delete and one looked really suspicious: cnkdsk

--- Search result list ---
Smitfraud-C.: Autorun settings (pro) (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pro

Smitfraud-C.: Autorun settings (pro) (Registry value, fixed)
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pro

Smitfraud-C.: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Install\Version

Smitfraud-C.: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Install\Version

Smitfraud-C.: Autorun settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows installer

Smitfraud-C.: Autorun settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows installer

Web-Nexus: Autorun settings (cnkdsk) (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnkdsk

Web-Nexus: Autorun settings (cnkdsk) (Registry value, fixed)
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnkdsk

Windows Security Center.SP2Update: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0

Windows Security Center.AntiVirusOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Windows Security Center.FirewallOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Windows Security Center.FirewallDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Windows Security Center.UpdateDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

This is not the complete log, I can post that if neccesary (it was too many characters)

Ried · 05-01-2006, 08:01 PM

Scott!

That Spybot log has proved invaluable.

Copy these instructions to Notepad for reference.

****************************************

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop. Do NOT run it yet!.

Download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
As the PC is restarting, boot it into Safe Mode.

--------------------------------------------

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files (not present in version 4.51

4. Click OK
5. Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

Click on Scanner
Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
Click on Complete System Scan to start the scan process.
Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

Click Save Report button
Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Once you reboot......

See if you can get an online scan to complete at Panda and post the results here.

Run a new HijackThis scan. Save the log file and post it here.

Then post the following logs in your next reply...

Panda log
Hijackthis log
Ewido log
C:\rapport.txt (log from the tool)

disco20 · 05-02-2006, 09:06 PM

Ried,

1.) Ran the BFU with the plugin

2.) Rebooted in Safe Mode

3.) Ran Smitfraud fix. rapport.txt is below:

SmitFraudFix v2.37

Scan done at 22:41:37.43, Mon 05/01/2006
Run from C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\uniq Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

4.) I manually rebooted back into Safe Mode.

5.) I tried to delete all my Temporary Internet Files but one in this folder - WPQLT8G8 would not, that file was called search[1]. It was located at: C:\Documents and Settings\Scott Strickler\Local Settings\Temp\Temporary Internet Files\Content.IE5\WPQLT8G8

6.) I ran CleanUp!

7.) None of the things were present in the Display>Desktop>Customize Desktop>Web> folder, so I did not change anything.

8.) I actually remembered to Update ewido before starting everything else! So I ran it and the results are below:

9.) Then I ran an ewido scan. Below is the log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:57:26 AM, 5/2/2006
+ Report-Checksum: 8F324E3C

+ Scan result:

No infected objects found.

::Report End

10.) I could not get Panda or Kapersky to work.

11.) I then ran Hijack THis. Log is below.

Logfile of HijackThis v1.99.1
Scan saved at 10:51:31 PM, on 5/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\Dit.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Palm\HOTSYNC.EXE
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe
C:\WINDOWS\Notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

12.) I'm sorry to be bothersome, but I do have a few questions to enhance my knowledge of all this computer malware stuff:
A.) Is Smitfraud-C. gone?
B.) Is cnkdsk gone?
C.) How can I get Panda or Kapersky to work?
D.) Is it OK to downlaod SP2?

Ried · 05-02-2006, 09:35 PM

Hi Scott,

Quote:

A.) Is Smitfraud-C. gone?
B.) Is cnkdsk gone?

Since Spybot is the only one that even revealed Smitfraud, please run Spybot again and let me know what it reports. We can't get an online scan done yet, so, again. Let's see if Spybot still reports cnkdsk or webnexus.

Quote:

C.) How can I get Panda or Kapersky to work?

Let’s try uninstalling Panda Online scan and the Kaspersky Online Scan and get rid of the current Active X’s for them. Perhaps we can get them to work again if we ‘start fresh’.

---------------------------------------

Go into your Add/Remove panel and uninstall the following if they exist:

Panda Online Scan
Kaspersky Online Scan

---------------------------------------

Close any open programs and browsers.

Run a scan with HijackThis. Check the following entries and click “Fix Checked”:

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

---------------------------------------

Reboot and try again to get an online scan done at either Panda or Kaspersky and post the results here if you were successful. If not, please still post the results from the Spybot scan.

---------------------------------------

Quote:

D.) Is it OK to download SP2?

Don’t download SP2 until we are sure you are clean.

disco20 · 05-04-2006, 07:27 PM

Ried,

Thanks for the uninstallation advice, it worked! Below is the ActiveScan results (erase_me and i are both showing up). No immediate threats were shown with Spybot and its database has been completly updated. Below that is another HiJack This log. Below that is another Ewido log.

Incident Status Location

Virus:W32/Sdbot.HEG.worm Disinfected C:\avenger\backup.zip[avenger/eraseme_70088.exe]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@banner[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@ct.360i[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\heather strickler@www.affiliatefuel[1].txt
Spyware:Cookie/Pollstar Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\scott strickler@pollstar[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\p6261fpp.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.apmebf.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt[.realmedia.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe

Logfile of HijackThis v1.99.1
Scan saved at 3:44:38 PM, on 5/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\Dit.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Notepad.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:18:57 PM, 5/4/2006
+ Report-Checksum: EE74949F

+ Scan result:

No infected objects found.

::Report End

Thanks Again, I'm glad we are beating this!

Ried · 05-05-2006, 10:07 AM

Hi Scott,

We certainly are beating this.

Quote:

Below is the ActiveScan results (erase_me and i are both showing up)

Yes, they are, but the 'problem child' is not safely tucked away in the Avenger backups.

I'm not taking any chances here. We're going to use Avenger to take care of that folder:

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Folders to delete:

C:\WINDOWS\SYSTEM32\i

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

You know the drill

--disable any active protection with the exception of your AV and Firewall.

Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

---------------------------------

Clear Mozilla Firefox cookies:
Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear

Clear Internet Explorer Cookies:
Launch Internet Explorer>Tools>Internet Options>Delete Cookies

---------------------------------

Run another online scan at Panda and post the results here along with the avenger.txt

How is your system behaving now?

disco20 · 05-08-2006, 08:17 PM

Ried,

I ran Avenger as asked. The results are below:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aadcymll

*******************

Script file located at: \??\C:\WINDOWS\System32\ypvufxcy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\WINDOWS\SYSTEM32\i not found!
Deletion of folder C:\WINDOWS\SYSTEM32\i failed!

Could not process line:
C:\WINDOWS\SYSTEM32\i
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

I then cleaned up my cookies, followed by a Panda Activescan (I had to deleted the program again in order to get it to run). THe results are below:

Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@banner[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@ct.360i[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\heather strickler@www.affiliatefuel[1].txt
Spyware:Cookie/Pollstar Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\scott strickler@pollstar[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\p6261fpp.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.apmebf.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe

I'll run a Spybot and Adaware scan tonight and it'll hopefuly clear up all of this. My sytem is running about 1 billion times better than when we started. If I need to do anything else please let me know, I really appreciate all the help.

Ried · 05-08-2006, 08:40 PM

Hi Scott,

Other than cookies, this last Panda is finally clean.

Clear Mozilla Firefox cookies:
Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear

Please refer to this link for information on Privacy Tools in Earthlink, inlcuding deleting cookies.

---------------------------------

If there aren't any more problems, please continue with these final instructions and helpful links.

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Please respond one more time so we can mark this as resolved.

disco20 · 05-08-2006, 09:24 PM

Ried,
I don't even use Earthlink anymore, how should I get rid of that. Also look out for a PM on the way from me.

Thanks Again,

Scott

Ried · 05-08-2006, 09:31 PM

Hi Scott,

If you're certain you won't need Earthlink again, uninstall it via Add/Remove programs in the Control Panel. Then delete the folder: C:\Program Files\ Earthlink

04-30-2006, 05:46 PM	#23 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,591 OS: WinXP and Vista	Ok Scott, this is what I want you to do. Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't carry out these instructions until you are ready. With that said (when ready): 1. Please download The Avenger to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop We'll use this later. Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete. When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply. Download StartDreck Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: *System/Running Process* -> List Modules *System/Drivers* -> NT Services *System/Drivers* -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post that log here --------------------------------------- If you'll notice, the eraseme...file keeps changing on us. Ewido cleans it, and it simply changes names. Navigate to C:\Windows\System32 and look for any file beginning with eraseme_ Write down the full file name that you find and post it here for me along with the Silent Runners and Startdreck logs. Leave your PC on--do NOT reboot or the name will change again. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-01-2006, 08:09 AM	#29 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,591 OS: WinXP and Vista	Not if it's in the locations I just listed above. Avast is merely detecting the signature files Panda uses to detect that virus. Anything in System Restore is locked away at the moment. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-01-2006, 08:01 PM	#32 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,591 OS: WinXP and Vista	Scott! That Spybot log has proved invaluable. Copy these instructions to Notepad for reference. ************************************** Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Do NOT run it yet!. Download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as) Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as) Place qoofix.bat in your C:\BFU - folder. (Important!) Doubleclick qooFix.bat, Close all browsers and explorer folders. Choose option 1 (Qoolfix autofix) and follow the prompts. Please be patient, it will take about five minutes. As the PC is restarting, boot it into Safe Mode. -------------------------------------------- Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter*. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes* by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ______________________________ Clean out your Temporary Internet files. Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files (not present in version 4.51 4. Click OK 5. Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: · "Security Info" · "Warning Message" · "Security Desktop" · "Warning Homepage" · "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. ______________________________ Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan. Click on Scanner Click on Settings Under How to scan all boxes should be checked Under Unwanted Software all boxes should be checked Under What to scan select Scan every file Click on Ok Click on Complete System Scan to start the scan process. Let the program scan the machine. If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok. Once the scan has completed, there will be a button located on the bottom of the screen named Save Report. Click Save Report button Save the report to your Desktop Close Ewido and Reboot in Normal Mode. ______________________________ Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ______________________________ Once you reboot...... See if you can get an online scan to complete at Panda and post the results here. Run a new HijackThis scan. Save the log file and post it here. Then post the following logs in your next reply... Panda log Hijackthis log Ewido log C:\rapport.txt (log from the tool) __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-08-2006, 08:40 PM	#38 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,591 OS: WinXP and Vista	Hi Scott, Other than cookies, this last Panda is finally clean. Clear Mozilla Firefox cookies: Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear Please refer to this link for information on Privacy Tools in Earthlink, inlcuding deleting cookies. --------------------------------- If there aren't any more problems, please continue with these final instructions and helpful links. Reset hidden/system files and folders Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under *Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and free downloads are available at the following links: Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items . Download Spyware Guard to catch and block spyware before it can execute. Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not** be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Please respond one more time so we can mark this as resolved. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-08-2006, 09:31 PM	#40 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,591 OS: WinXP and Vista	Hi Scott, If you're certain you won't need Earthlink again, uninstall it via Add/Remove programs in the Control Panel. Then delete the folder: C:\Program Files\ Earthlink __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-30-2006, 10:25 AM	#21 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, 1.) The Ewido trial has ended, so the ewido Guard realtime protection say n/a now. 2.) Prevx1 does not have a drop-down menu that I could readily find, so I just shutdown the whole program 3.) I ran RapidBlaster Killer and it came up with the message: "No RapidBlaster Porcesses detected. (04-25-2006) 4.) I ran RapidBlaster Killer and it came up with the message: "No RapidBlaster Porcesses detected. (04-29-2006) 5.) I ran Stinger next, but I forgot to turn off Avast and halfway through a warnign poped up that saying a virus had been found at: C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll The Malware: Win32:CTX I deleted it and let the scan finish. After the scan was completed no indication that any virus' were present was avaliable. It just said: Number of clean files: 203471 6.) For Pocket Killbox I did the following: - Followed your directions as given down to the "Paste from Clipboard". Here when I tried to Copy and Paste the c:\Windows\System32\winscntrl.exe file it would not copy from the Clipboard, so I pasted it into the "Full Path of File to Delete" Box, but unlike the other two files it was not recognized by a blue name underneath the box. I never recieved a message stating "Click NO at the Pending Operations prompt." and I said no to the immediate reboot. 7.) I then realized I had not started in Safe Mode and restarted in Safe Mode. I retried to run Killbox, but I had to individually put each file in the box, run the program exit it and repeat the steps again. 8.) I cleared all the cookies 9.) I ran a ewido scan. The log is below. --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 10:03:08 AM, 4/30/2006 + Report-Checksum: E0F8A932 + Scan result: C:\WINDOWS\SYSTEM32\eraseme_53055.exe -> Backdoor.SdBot.aoy : Cleaned with backup ::Report End 10.) I was trying to install some Windows updates after restarting and Avast popped this up in the middle of installation: Sign of "Win32:CTX" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\FIFOED\A0039980.DLL" file 11.) I tried to run Panda Scan, but after I would select my computer it would just stop, it would refuse to scan. I went to run a Kapersky scan and it did the same as Panda. I am unsure of what to do now. 12.) Below is another HiJack This log. Logfile of HijackThis v1.99.1 Scan saved at 12:23:50 PM, on 4/30/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\devldr32.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\DU Meter\DUMeter.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe C:\WINDOWS\Dit.exe C:\WINDOWS\DitExp.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\cidaemon.exe C:\WINDOWS\Notepad.exe C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966 O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC1A313-FDED-4C18-8214-67618808CFA9}: NameServer = 204.116.57.2 206.74.254.2 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

04-30-2006, 11:07 AM	#22 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Just to let you know this just popped up: eraseme_70088.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

05-01-2006, 05:53 AM	#26 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, My system is running ALOT better. I appreciate your help. I am at work now, so all the scans and such are not completed yet. I do have one concern. Once I restarted after using Avenger (I had to manually restart, but Avenger did shut the computer down). I go another virus warning from Avast, I will post the exact location this evening but it was another Win32.CTX file, any help on ridding my computer of this would be marvelous. Thanks Again.

05-01-2006, 07:51 AM	#28 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, Pardon my ignorance, but is the Win32:CTX something to not worry about?

05-01-2006, 06:35 PM	#30 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, I cannot get the Panda ActiveScan (never starts after I click on My Computer) or the Kapersky scans to work (Refuses to do anything after I hit accept, but will close the window when I hit decline). Prex1 is off, ZoneAlarm is off, Avast is off. Also do you feel that Avast is the best free Anti-Viral program or should I switch to AVG/ Thanks Again, Scott

05-01-2006, 07:51 PM	#31 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, I was running Spybot and I wanted to post my log as not all the files would delete and one looked really suspicious: cnkdsk --- Search result list --- Smitfraud-C.: Autorun settings (pro) (Registry value, fixing failed) HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pro Smitfraud-C.: Autorun settings (pro) (Registry value, fixed) HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pro Smitfraud-C.: User settings (Registry value, fixing failed) HKEY_USERS\.DEFAULT\Software\Install\Version Smitfraud-C.: User settings (Registry value, fixed) HKEY_USERS\S-1-5-18\Software\Install\Version Smitfraud-C.: Autorun settings (Registry value, fixing failed) HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows installer Smitfraud-C.: Autorun settings (Registry value, fixed) HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows installer Web-Nexus: Autorun settings (cnkdsk) (Registry value, fixing failed) HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnkdsk Web-Nexus: Autorun settings (cnkdsk) (Registry value, fixed) HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnkdsk Windows Security Center.SP2Update: Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0 Windows Security Center.AntiVirusOverride: Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0 Windows Security Center.FirewallOverride: Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0 Windows Security Center.FirewallDisableNotify: Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0 Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0 Windows Security Center.UpdateDisableNotify: Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0 This is not the complete log, I can post that if neccesary (it was too many characters)

05-02-2006, 09:06 PM	#33 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, 1.) Ran the BFU with the plugin 2.) Rebooted in Safe Mode 3.) Ran Smitfraud fix. rapport.txt is below: SmitFraudFix v2.37 Scan done at 22:41:37.43, Mon 05/01/2006 Run from C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\uniq Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» End 4.) I manually rebooted back into Safe Mode. 5.) I tried to delete all my Temporary Internet Files but one in this folder - WPQLT8G8 would not, that file was called search[1]. It was located at: C:\Documents and Settings\Scott Strickler\Local Settings\Temp\Temporary Internet Files\Content.IE5\WPQLT8G8 6.) I ran CleanUp! 7.) None of the things were present in the Display>Desktop>Customize Desktop>Web> folder, so I did not change anything. 8.) I actually remembered to Update ewido before starting everything else! So I ran it and the results are below: 9.) Then I ran an ewido scan. Below is the log: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 6:57:26 AM, 5/2/2006 + Report-Checksum: 8F324E3C + Scan result: No infected objects found. ::Report End 10.) I could not get Panda or Kapersky to work. 11.) I then ran Hijack THis. Log is below. Logfile of HijackThis v1.99.1 Scan saved at 10:51:31 PM, on 5/2/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\DU Meter\DUMeter.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\Dit.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\DitExp.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Palm\HOTSYNC.EXE C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe C:\WINDOWS\Notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966 O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe 12.) I'm sorry to be bothersome, but I do have a few questions to enhance my knowledge of all this computer malware stuff: A.) Is Smitfraud-C. gone? B.) Is cnkdsk gone? C.) How can I get Panda or Kapersky to work? D.) Is it OK to downlaod SP2?

05-04-2006, 07:27 PM	#35 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, Thanks for the uninstallation advice, it worked! Below is the ActiveScan results (erase_me and i are both showing up). No immediate threats were shown with Spybot and its database has been completly updated. Below that is another HiJack This log. Below that is another Ewido log. Incident Status Location Virus:W32/Sdbot.HEG.worm Disinfected C:\avenger\backup.zip[avenger/eraseme_70088.exe] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@atwola[1].txt Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@banner[1].txt Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@ct.360i[1].txt Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\heather strickler@www.affiliatefuel[1].txt Spyware:Cookie/Pollstar Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\scott strickler@pollstar[2].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\p6261fpp.default\cookies.txt[.toplist.cz/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.realmedia.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.apmebf.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt[.realmedia.com/] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe] Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe Logfile of HijackThis v1.99.1 Scan saved at 3:44:38 PM, on 5/4/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\devldr32.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\DU Meter\DUMeter.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\Dit.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\DitExp.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe C:\WINDOWS\System32\cidaemon.exe C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Notepad.exe C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966 O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 9:18:57 PM, 5/4/2006 + Report-Checksum: EE74949F + Scan result: No infected objects found. ::Report End Thanks Again, I'm glad we are beating this!

05-08-2006, 08:17 PM	#37 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, I ran Avenger as asked. The results are below: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\aadcymll ***************** Script file located at: \??\C:\WINDOWS\System32\ypvufxcy.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Folder C:\WINDOWS\SYSTEM32\i not found! Deletion of folder C:\WINDOWS\SYSTEM32\i failed! Could not process line: C:\WINDOWS\SYSTEM32\i Status: 0xc0000034 Completed script processing. ***************** Finished! Terminate. I then cleaned up my cookies, followed by a Panda Activescan (I had to deleted the program again in order to get it to run). THe results are below: Incident Status Location Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@atwola[1].txt Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@banner[1].txt Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@ct.360i[1].txt Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\heather strickler@www.affiliatefuel[1].txt Spyware:Cookie/Pollstar Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\scott strickler@pollstar[2].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\p6261fpp.default\cookies.txt[.toplist.cz/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.realmedia.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.apmebf.com/] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Scott Strickler\Desktop\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe I'll run a Spybot and Adaware scan tonight and it'll hopefuly clear up all of this. My sytem is running about 1 billion times better than when we started. If I need to do anything else please let me know, I really appreciate all the help.

05-08-2006, 09:24 PM	#39 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, I don't even use Earthlink anymore, how should I get rid of that. Also look out for a PM on the way from me. Thanks Again, Scott