User Tag List

Torpig

This is a discussion on Torpig within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Torpig is actually just one of many I've come across today. I had a couple of keyloggers a good few


 
 
Thread Tools Search this Thread
Old 01-21-2007, 08:08 PM   #1
Guest
 
Join Date: Jan 2007
Posts: 4
OS:



Torpig is actually just one of many I've come across today. I had a couple of keyloggers a good few trojans and the evil Spy Sheriff.

I would greatly appreciate some help on this, I think I've been awake just a little bit too long now waiting for scans to finish!


Logfile of HijackThis v1.99.1
Scan saved at 03:00:32, on 22/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Documents and Settings\LFT1\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https://proxy.staffs.ifl.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*.*;10.129.60.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\RunServices: [HP License service] C:\WINDOWS\hplicense.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1124285860640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9106AD8-14A5-44C9-9AE3-E96BDB2BD04F}: NameServer = 171.62.220.216,194.238.48.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
AmyC is offline  
Sponsored Links
Advertisement
 
Old 01-21-2007, 09:45 PM   #2
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hello AmyC and welcome to TSF,

Well...the steps you've taken so far have left us with nothing to see in this log so we're going to have to dig, which means more scans.

Let's see where we are:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Please download SmitfraudFix (by S!Ri) to your Desktop.

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

-------------------------------------

Close any open browsers.

-------------------------------------


Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Post the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
  • Select option #1 - Search by typing 1 and press "Enter"
  • A text file will appear which lists infected files (if present).
  • Please copy/paste the content of that report into your next reply.
IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 01-22-2007, 04:51 AM   #3
Guest
 
Join Date: Jan 2007
Posts: 4
OS:


Thank you for the super fast reply

Combofix log


"LFT1" - 07-01-22 11:23:21 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\LFT1\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))


2007-01-22 11:20 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-22 11:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-22 11:20 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-22 11:20 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-22 11:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-22 11:20 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-22 02:29 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-22 00:58 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-01-22 00:18 <DIR> d-------- C:\Program Files\CCleaner
2007-01-21 23:55 <DIR> d-------- C:\WINDOWS\pss
2007-01-21 21:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-21 20:49 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-21 19:41 4,066 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-21 18:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee
2007-01-21 17:55 <DIR> d-------- C:\Program Files\Security Task Manager
2007-01-21 17:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SecTaskMan
2007-01-21 14:50 <DIR> d-------- C:\Program Files\softwa~1
2007-01-21 14:50 <DIR> d-------- C:\Program Files\AltPayments
2007-01-21 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Quark
2007-01-21 13:41 <DIR> d-------- C:\Program Files\Quark
2007-01-21 13:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\InstallShield
2007-01-21 13:00 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2007-01-21 13:00 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-01-10 03:36 <DIR> d-------- C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021
2007-01-10 03:35 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-01-10 03:35 <DIR> d-------- C:\Program Files\Ipswitch
2007-01-10 03:35 <DIR> d-------- C:\DOCUME~1\LFT1\Application Data\Ipswitch
2007-01-10 03:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Ipswitch
2006-12-30 03:25 <DIR> d-------- C:\DOCUME~1\LFT1\Application Data\Talkback
2006-12-30 03:10 107,132 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-12-30 01:38 <DIR> d-------- C:\Program Files\Grisoft(2)
2006-12-30 01:38 <DIR> d-------- C:\DOCUME~1\LFT1\Application Data\AVG7
2006-12-30 01:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft(2)
2006-12-30 01:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7(2)


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-22 11:01 -------- d-------- C:\Program Files\mozilla firefox
2007-01-22 10:44 -------- d-------- C:\Program Files\sophos sweep for nt
2007-01-22 00:28 -------- d-------- C:\Program Files\azureus
2007-01-21 21:59 -------- d-------- C:\Program Files\smart board software
2007-01-21 21:58 -------- d-------- C:\Program Files\launch manager
2007-01-21 21:02 -------- d-------- C:\DOCUME~1\LFT1\Application Data\adobe
2007-01-21 14:50 0 --a------ C:\DOCUME~1\LFT1\Application Data\amguid.dat
2007-01-21 13:29 -------- d-------- C:\Program Files\Common Files\installshield
2007-01-21 13:21 -------- d-------- C:\Program Files\corel
2007-01-21 13:21 -------- d-------- C:\Program Files\Common Files\corel
2007-01-21 13:07 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-21 12:14 -------- d--h----- C:\Program Files\installshield installation information
2007-01-20 16:02 3766 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-01-20 16:02 -------- d-------- C:\DOCUME~1\LFT1\Application Data\corel
2006-12-30 12:12 -------- d-------- C:\Program Files\google
2006-12-30 03:23 -------- d-------- C:\Program Files\neopets
2006-12-30 03:23 -------- d-------- C:\DOCUME~1\LFT1\Application Data\neopets toolbar
2006-12-30 02:45 -------- d-------- C:\Program Files\firstclass
2006-12-30 02:43 -------- d---s---- C:\DOCUME~1\LFT1\Application Data\microsoft
2006-12-30 01:26 -------- d-------- C:\DOCUME~1\LFT1\Application Data\azureus
2006-12-29 10:44 -------- d-------- C:\Program Files\opera
2006-12-24 05:37 88 -r-hs---- C:\WINDOWS\system32\bf601be19b.sys
2006-12-19 03:18 -------- d-------- C:\Program Files\myspace
2006-12-18 09:49 -------- d-------- C:\DOCUME~1\LFT1\Application Data\adobeum
2006-12-11 18:59 -------- d-------- C:\DOCUME~1\LFT1\Application Data\myspace


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\LManager.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"EPM-DM"="c:\\acer\\epm\\epm-dm.exe"
"ePowerManagement"="C:\\Acer\\ePM\\ePM.exe boot"
"NDPS"="C:\\WINDOWS\\system32\\dpmw32.exe"
"NWTRAY"="NWTRAY.EXE"
"adiras"="adiras.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Snapfire\\Corel Photo Downloader.exe"
"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"HP License service"="C:\\WINDOWS\\hplicense.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


Completion time: 07-01-22 11:26:53
AmyC is offline  
Sponsored Links
Advertisement
 
Old 01-22-2007, 04:52 AM   #4
Guest
 
Join Date: Jan 2007
Posts: 4
OS:


Smitfraud log

SmitFraudFix v2.133

Scan done at 11:33:04.51, 22/01/2007
Run from C:\Documents and Settings\LFT1\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\LFT1


C:\Documents and Settings\LFT1\Application Data


Start Menu


C:\DOCUME~1\LFT1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End
AmyC is offline  
Old 01-22-2007, 06:38 AM   #5
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi Amyc,

Are you still experiencing any symptoms? What steps had you taken to clean the infections?

We'll need to run additional tools to clean the system and search for remnants.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

******************************************************

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

--------------------------------------------------------------------

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

--------------------------------------------------------------------

Disable CounterSpy as it may interefere with the fixes below:
  • Right-click the running icon of CounterSpy in the system tray.
  • With your mouse, hover over Active Protection Status (This should be enabled). A menu will slide out and then you need to right click on "Disable Active Protection".
--------------------------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

--------------------------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

AVG Anti-Spyware results
Panda results
New HijackThis log
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 01-29-2007, 10:16 AM   #6
Guest
 
Join Date: Jan 2007
Posts: 4
OS:


I am so sorry.

I was literally just about to post my clean up log when my internet cut out. No internet for a week *shudder*

I will post it when I've ploughed through my million emails!
AmyC is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 08:59 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts