Tech Support Forum banner
Status
Not open for further replies.
1 - 2 of 2 Posts

· Registered
Joined
·
2 Posts
Discussion Starter · #1 ·
This is is my DSS log. This malware creates fake security alerts every 30 seconds or so and opens up IE windows leading to "you privacy guard" and is truly annoying, although i dont know how large of a security threat it is. It does make it nearly impossible to work on the computer though and I would greatly appreciate having help remving it.

I did do the 5 step-process but was unable to do step #2 with the active panda scan.

Deckard's System Scanner v20071014.68
Run by mspina on 2007-11-05 19:37:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
28: 2007-11-06 00:38:20 UTC - RP584 - Deckard's System Scanner Restore Point
27: 2007-11-05 21:23:43 UTC - RP583 - Removed Ad-Aware 2007
26: 2007-11-05 03:49:11 UTC - RP582 - Installed Ad-Aware 2007
25: 2007-10-30 21:15:27 UTC - RP581 - System Checkpoint
24: 2007-10-25 22:52:52 UTC - RP580 - System Checkpoint


-- First Restore Point --
1: 2007-08-03 22:59:22 UTC - RP557 - Removed Microsoft Office Converter Pack


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-05 19:43:53
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\BRSVC01A.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\BRSS01A.EXE
C:\WINNT\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\RoamMgr.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cscript.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cscript.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cscript.exe
C:\Documents and Settings\mspina\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: MSVPS System - {CFF8726A-9262-441C-8163-C6371E9EDE47} - C:\WINNT\advrepnok.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: The sdrmod - {16A0662E-AC21-4AD9-89E8-7495AC5ACE93} - C:\WINNT\sdrmod.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Configuration Loader] microsoft.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P38 "EPSON Stylus Photo 820 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Configuration Loader] microsoft.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartUI.lnk = C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINNT\system32\nwprovau.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/ac4sbc.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Smart Viewer 7) - http://www.unitedsurgical.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O21 - SSODL: bindmod - {176BE3D5-A96E-4CA9-93AF-A893CD4B1870} - C:\WINNT\bindmod.dll
O21 - SSODL: hupsrv - {BF040168-FE46-43BA-948B-B424A895719E} - C:\WINNT\hupsrv.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\system32\BRSVC01A.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\system32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 11749 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 s24trans (WLAN Transport) - c:\winnt\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 IntelRoam (Adapter Switching) - c:\program files\intel\switching\user\roamsvc.exe <Not Verified; Intel Corporation; Intel Intelligent Roaming Technology>
R2 RegSrvc - c:\winnt\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 RoamMgr - c:\winnt\system32\roammgr.exe <Not Verified; Intel Corporation; >
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-05 17:34:02 366 --a------ C:\WINNT\Tasks\Symantec NetDetect.job
2007-11-01 20:33:24 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job
2003-07-28 20:50:20 254 --a------ C:\WINNT\Tasks\ISP signup reminder 3.job
2003-07-28 20:50:20 254 --a------ C:\WINNT\Tasks\ISP signup reminder 2.job
2003-07-28 20:50:19 254 --a------ C:\WINNT\Tasks\ISP signup reminder 1.job


-- Files created between 2007-10-05 and 2007-11-05 -----------------------------

2007-11-05 19:26:32 0 d-------- C:\Program Files\SpywareBlaster
2007-11-05 19:04:21 0 d-------- C:\WINNT\privacy_danger
2007-11-05 19:02:52 0 d-------- C:\WINNT\system32\ActiveScan
2007-11-05 19:02:47 0 d-------- C:\WINNT\LastGood
2007-11-04 22:11:43 115200 --a------ C:\WINNT\wtopmod.exe
2007-11-04 22:11:43 79872 --a------ C:\WINNT\sdrmod.dll <Not Verified; ; sdrmod Module>
2007-11-04 22:11:43 277504 --a------ C:\WINNT\hupsrv.dll
2007-11-04 22:11:43 289792 --a------ C:\WINNT\bindmod.dll
2007-11-04 22:11:43 299008 --a------ C:\WINNT\advrepnok.dll <Not Verified; ; advrepnok>
2007-11-04 22:10:37 0 d-------- C:\Program Files\VideoAccessCodec
2007-11-04 15:55:47 0 d-------- C:\Documents and Settings\mspina\Application Data\EVEMon
2007-11-04 15:47:20 0 d-------- C:\Program Files\EVEMon
2007-10-28 17:03:28 1384 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2007-10-28 15:56:20 0 d-------- C:\Documents and Settings\mspina\Application Data\SecondLife
2007-10-24 21:50:32 0 d-------- C:\Program Files\DivX
2007-10-22 17:33:07 0 d-------- C:\Program Files\iPod
2007-10-21 23:57:30 0 d-------- C:\Documents and Settings\mspina\Application Data\WinRAR
2007-10-19 16:40:52 0 d-------- C:\Program Files\Power Tab Software
2007-10-15 20:10:17 0 d--h----- C:\WINNT\msdownld.tmp
2007-10-15 20:08:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-10-15 19:55:03 0 d-------- C:\Program Files\CCP
2007-10-14 22:12:38 1290 --a------ C:\WINNT\mozver.dat
2007-10-14 21:21:04 0 d-------- C:\Documents and Settings\mspina\Application Data\acccore
2007-10-14 20:52:27 0 d-------- C:\Documents and Settings\mspina\Application Data\Viewpoint
2007-10-14 20:52:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-14 20:52:19 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-10-14 20:52:19 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-14 20:51:52 0 d-------- C:\Program Files\AIM6
2007-10-14 20:50:02 0 d-------- C:\Documents and Settings\mspina\Application Data\Mozilla
2007-10-14 20:43:28 0 d-------- C:\Program Files\ToneLab SoundEditor
2007-10-14 20:07:20 0 d-------- C:\Documents and Settings\mspina\Application Data\Google
2007-10-14 20:06:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-10-14 20:06:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-14 20:06:10 0 d-------- C:\Program Files\Google
2007-10-12 17:52:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2007-10-12 17:52:35 0 d-------- C:\Documents and Settings\mspina\Application Data\GTek


-- Find3M Report ---------------------------------------------------------------

2007-11-05 16:28:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-05 16:28:35 0 d-------- C:\Program Files\PC-Doctor for Windows
2007-11-05 16:24:28 0 d-------- C:\Program Files\Common Files
2007-10-31 22:26:01 76576 --a------ C:\Documents and Settings\mspina\Application Data\GDIPFONTCACHEV1.DAT
2007-10-22 19:55:26 0 d-------- C:\Program Files\Apple Software Update
2007-10-22 17:33:21 0 d-------- C:\Program Files\iTunes
2007-10-14 20:52:29 0 d-------- C:\Program Files\Viewpoint
2007-10-14 20:51:56 0 d-------- C:\Program Files\Common Files\AOL
2007-09-26 18:49:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-26 18:48:48 0 d-------- C:\Program Files\Symantec
2007-09-24 19:31:24 0 --a------ C:\WINNT\system32\BIPORT
2007-09-19 21:22:38 0 d-------- C:\Documents and Settings\mspina\Application Data\Apple Computer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFF8726A-9262-441C-8163-C6371E9EDE47}]
11/03/2007 08:54 AM 299008 --a------ C:\WINNT\advrepnok.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [08/28/2002 06:17 PM C:\WINNT\system32\Ati2mdxx.exe]
"GWMDMMSG"="GWMDMMSG.exe" [03/19/2003 04:39 PM C:\WINNT\GWMDMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/14/2003 01:37 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/14/2003 01:35 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/30/2003 09:00 PM]
"Gateway Ink Monitor"="C:\Program Files\Gateway Utilities\GWInkMonitor.exe" [06/24/2003 09:33 PM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [10/03/2002 06:50 PM]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [08/12/2002 10:33 AM]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [08/12/2002 11:07 AM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 09:26 PM]
"Configuration Loader"="microsoft.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 05:24 AM]
"EPSON Stylus Photo 820 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe" [04/10/2002 02:00 AM]
"EPSON Stylus Photo 820 Series (Copy 1)"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe" [04/10/2002 02:00 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/22/2004 09:22 AM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [07/24/2002 03:20 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 01:42 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" []
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/14/2007 08:06 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [09/29/2007 03:22 PM]
"Windows update loader"="C:\Windows\xpupdate.exe" []
"SpyShredder"="C:\Program Files\SpyShredder\SpyShredder.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Configuration Loader"=microsoft.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [10/14/2007 8:06:12 PM]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [7/21/2003 5:20:40 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [7/21/2003 5:26:50 AM]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [8/12/2002 10:00:40 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [1/29/2004 11:49:24 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1 (0x1)
"NoActiveDesktop"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bindmod"= {176BE3D5-A96E-4CA9-93AF-A893CD4B1870} - C:\WINNT\bindmod.dll [11/03/2007 08:54 AM 289792]
"hupsrv"= {BF040168-FE46-43BA-948B-B424A895719E} - C:\WINNT\hupsrv.dll [11/03/2007 08:54 AM 277504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINNT\System32\LgNotify.dll 02/28/2003 04:01 PM 110592 C:\WINNT\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-11-05 19:44:52 ------------
 

Attachments

· TSF-Enthusiast
Joined
·
923 Posts
Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.


Please download SmitfraudFix
Save it to the Desktop
Right click the SmitfraudFix.zip
Select: Extract All to extract it to its own folder

Also download SDFix
Also save it to the Desktop
Right click the SDFix.zip
Select: Extract All to extract it to its own folder

~~~~
Start the computer in Safe Mode :
  • When the machine starts again, tap the F8 key before Windows starts
  • You are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Press Enter to boot into Safe Mode.

Open SmitfraudFix
  • Double-click smitfraudfix.cmd
  • Select Option 2 - Clean by typing 2 and press Enter (Deletes infected files)
  • You are prompted: Do you want to clean the registry? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool also checks if a relevant file, wininet.dll, is infected.
You may be prompted to replace the infected file (if found).
Replace infected file? Answer Y (yes) and hit Enter to restore a clean file.

~~~~
Still in Safe Mode, open the SDFix folder on the Desktop
  • Double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.
  • Press any key to restart the PC.
  • When the PC restarts the SDFix will run again and complete the removal process
  • It then displays Finished
  • Press any key to end the script and load the Desktop icons.
  • Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

~~~~
Now, download ComboFix
Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Last, run HijackThis once again to obtain a new log.

~~~~
Please post the following in your reply:
The SmitFraudFix report located at C:\rapport.txt
The SDFix Report.txt
The ComboFix.txt
A new HijackThis[/QUOTE]
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top