Tech Support banner
Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
60 Posts
Discussion Starter · #1 ·
The program

Win fork

has registered the executable

C:\DOCUME~1\ALLUSE~1.SIL\APPLIC~\GLUETY~1\bib cash tray.exe

to run at startup.

YES NO

----------------------------------------------------------------
heres my Hjkthis log file ps i usually use Firefox 2.0

Logfile of HijackThis v1.99.1
Scan saved at 15:01:47, on 12/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\torrent\utorrent.exe
C:\Documents and Settings\all users.silver\Desktop\Setup Appl\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iqon.ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,[email protected]
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [chicsaveinterbook] C:\Documents and Settings\All Users\Application Data\64ShimChicSave\bashloud.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/pr...2000_hybrid/module07/aware_player/awswaxf.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O21 - SSODL: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thankyou......
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [chicsaveinterbook] C:\Documents and Settings\All Users\Application Data\64ShimChicSave\bashloud.exe
O21 - SSODL: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - (no file)



Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\Documents and Settings\All Users\Application Data\64ShimChicSave

---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

Download fl.zip
Extract the contents to a new folder on your Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

NoLOP - C:\NoLop.log
FindLOP - c:\findlop.txt
SmitfraudFix - C:\rapprt.txt
Panda online scan
HijackThis
 

·
Registered
Joined
·
60 Posts
Discussion Starter · #3 ·
No Lop Report

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\all users.silver\Desktop
[14/01/2007]
[12:53:02]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\A2D370689184E8A4.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Apple Computer
C:\Documents and Settings\Administrator\Application Data\Cyberlink
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\64shimchicsave
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Faxctr
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Spieleentwicklungskombinat
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users.silver\Application Data\Adobe
C:\Documents and Settings\All Users.silver\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\All Users.silver\Application Data\Apple Computer
C:\Documents and Settings\All Users.silver\Application Data\Bitroll
C:\Documents and Settings\All Users.silver\Application Data\Cyberlink
C:\Documents and Settings\All Users.silver\Application Data\Deepburner
C:\Documents and Settings\All Users.silver\Application Data\Faxctr
C:\Documents and Settings\All Users.silver\Application Data\Gluetypeview
C:\Documents and Settings\All Users.silver\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\All Users.silver\Application Data\Identities
C:\Documents and Settings\All Users.silver\Application Data\Jasc Software Inc
C:\Documents and Settings\All Users.silver\Application Data\Lavasoft
C:\Documents and Settings\All Users.silver\Application Data\Limewire
C:\Documents and Settings\All Users.silver\Application Data\Macromedia
C:\Documents and Settings\All Users.silver\Application Data\Microsoft
C:\Documents and Settings\All Users.silver\Application Data\Mozilla
C:\Documents and Settings\All Users.silver\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\All Users.silver\Application Data\Spieleentwicklungskombinat
C:\Documents and Settings\All Users.silver\Application Data\Sun
C:\Documents and Settings\All Users.silver\Application Data\Template
C:\Documents and Settings\All Users.silver\Application Data\Utorrent
C:\Documents and Settings\Default User\Application Data\Adobe
C:\Documents and Settings\Default User\Application Data\Apple Computer
C:\Documents and Settings\Default User\Application Data\Cyberlink
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft


further reports will be posted later
 

·
Registered
Joined
·
60 Posts
Discussion Starter · #4 ·
Fresh hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 13:08:35, on 14/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iqon.ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,[email protected]
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [chicsaveinterbook] C:\Documents and Settings\All Users\Application Data\64ShimChicSave\bashloud.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/pr...2000_hybrid/module07/aware_player/awswaxf.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O21 - SSODL: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

·
Registered
Joined
·
60 Posts
Discussion Starter · #6 ·
Find Lop report
also tried smitfraud but it says its not a valid win32 application

Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\Administrator\Application Data

09/09/2006 11:59 <DIR> Adobe
09/09/2006 11:59 <DIR> Apple Computer
09/09/2006 11:59 <DIR> CyberLink
09/09/2006 11:59 <DIR> Identities
09/09/2006 12:00 <DIR> SampleView
0 File(s) 0 bytes
5 Dir(s) 125,309,755,392 bytes free
Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\All Users\Application Data

09/09/2006 12:00 <DIR> Adobe
09/09/2006 12:00 <DIR> Apple Computer
09/09/2006 12:00 <DIR> CyberLink
10/10/2006 03:12 <DIR> FaxCtr
10/10/2006 20:54 <DIR> Microsoft Help
11/10/2006 17:59 <DIR> SpieleEntwicklungsKombinat
12/01/2007 17:54 <DIR> Spybot - Search & Destroy
11/01/2007 12:34 <DIR> Windows Genuine Advantage
0 File(s) 0 bytes
8 Dir(s) 125,309,751,296 bytes free
Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\Default User\Application Data

20/09/2006 19:03 <DIR> .
20/09/2006 19:03 <DIR> ..
04/02/2006 07:00 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 125,309,751,296 bytes free
Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
 

·
Registered
Joined
·
60 Posts
Discussion Starter · #8 ·
Panda active scan, 29 objects, sorry about the layout plus ill run an adaware se scan and see how many objects it picks up and then remove them hopefully all 29.


Incident Status Location

Adware:Adware/Lop Not disinfected C:\Documents and Settings\all users.silver\Application Data\GlueTypeView\bib cash tray.exe
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.overture.com/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.adviva.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.adtech.de/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\all users.silver\Cookies\all [email protected][2].txt
Adware:Adware/Comet Not disinfected C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\screen saver\sinstaller1.exe
Adware:Adware/Comet Not disinfected C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\screen saver\sinstaller2.exe
Adware:Adware/Comet Not disinfected C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\screen saver\sinstaller3.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\all users.silver\Local Settings\Temp\bis6.exe



Here is the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:55:36, on 16/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\thomson\SpeedTouch USB\stdialup.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iqon.ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,[email protected]
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/pr...2000_hybrid/module07/aware_player/awswaxf.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The main thing i noticed was the bib cash tray.exe what you think?
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Yes, that's part of the LOP infection. It wasn't in your HJT log or running processes, so I needed to confirm it's presence. Let's get after it.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"



  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs_edits/xp_whichcpu.exe

---------------------------------------------------------------------------------------------

Clear your Firefox cookies. From the open browser, go toTools>Options>Privacy>Cookies>Clear

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------------------------


Delete the following files/folders if they exist:

C:\Documents and Settings\All Users\Application Data\64shimchicsave
C:\Documents and Settings\all users.silver\Application Data\GlueTypeView
C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\screen saver\sinstaller3.exe
C:\Documents and Settings\all users.silver\Local Settings\Temp\bis6.exe


---------------------------------------------------------------------------------------------


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

AVG Anti-Spyware
HJT


Regarding SmitfraudFix......when you ran the executable, what happened? Did it do anything, or just give you that error message? Is there a SmitfraudFix folder on the desktop now as well as the exe file?

It's possible that the download was corrupted. Delete both the exe file, and the smitfraudfix folder, and try again.
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top