I am 16. Im inexperienced... help?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

0Luna0

Thread Starter
Joined
Oct 25, 2007
Messages
8
Alright, so a couple days ago i downloaded something i should'nt have, right after i did, my computer went crazy!!!! I tried using my Norton 360, and it removed two trojan horses, two tracking cookies, and some bloodhound virus rhing, andi think that's it. My computer is still slow, pop ups from system tray say i have spyware.....

I tried downloading adware, and spybot, hijack this, i put my computer in safe mode, ran both adware then spybot, they took some stuff out, im not sure what the hell or how to se hijack this and then took out safe mode. The problems continue!! I also downloaded spyware doctor(freeversion) and it helps to block some stuff, it made a scan that says i have 4 threats and 60 infections in my computer :( im scared... and pissed...


the following infection things are:

- Trojan.Popuper (34 infections)

- Trojan.PsGuard_Desktop_Hijacker (16 infections)

- Trojan-Downloader.Ruins (3 infections)

- Adware.WinFixer (7 infections)


I kind of understand what these things are. Spyware doctor explains the hide details and what these problems are. I dont have the full spyware doctor, only the things i've said, the adware thing, spybot, hijack this, and norton 360.. im going crazy, i just bought this hp laptop for 88$, very cheap, but functional and i love it, i use microsoft windows xp home edition, im lost and confused, obviously inexperienced, i dont want to give up to some computer problem, i want to learn from my mistakes and hopefully keep my computer clean.

........now......who can help me????
...DUDE COMON!!!!!!

Im new to this site but please, if u need more info to help me, contact me or reply to this or something, i would greatly appreciate ur help, thanks!
 

0Luna0

Thread Starter
Joined
Oct 25, 2007
Messages
8
I've been noticing hella people put there hijack this logs, so here is mine..






Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:16:53 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Documents and Settings\Javier\My Documents\New Folder\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191469982443
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: bokard - {ab75cc7d-2751-4144-a278-5462d5a5884c} - C:\WINDOWS\system32\dfrep.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7868 bytes
 
Joined
Oct 3, 2007
Messages
1,164
Howdy 0Luna0,

Welcome to TSG. Those who start extra request threads for the same issue are actually less likely to get any quick responses, as they involve extra clean-up steps. And I reckon I should add - threads with "expressive" language in the thread title have an equally poor chance of response. Having said that you log does show Zlob infection and some changes SpyBot made with that, along with a rogue ineffective software, so we need to get some cleaning underway. For starters you need to be rid of SpywareBot, which is only a cloned, renamed mass-produced package that uses aggressive sales promotions, does ineffective scans then mandates purchase before removing anything. You should be able to uninstall this through Add/Remove Programs.

Once you have done that Please download FixWareout from here

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, just follow the prompts. If your firewall sends an alert, please don't let your firewall block it, allow it (this tool will download an additional file from the internet). You will need to be online while running this repair.

Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load, this is normal.

On reboot you will get notified about possible difficulties making a connection after the fix is run. If you do have net access difficulties double click the registry file dnsbak.reg located in the Fixwareout folder on the root of the drive windows is installed (normally c:\ as suggested, but do not do this step if you do not have access problems).

------------------------------------

Once your desktop fully loads, Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------------------

Also Download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually the C drive), and launch from there.

NOTE: Please do not run any other options from SmitfraudFix until we discuss the results.

Then post the contents of the logfile C:\fixwareout\report.txt along with a new HijackThis log, the combofix.txt log and the rapport.txt log please.
 

0Luna0

Thread Starter
Joined
Oct 25, 2007
Messages
8
Hi,

Thanks for the response and i apologize for that. I did as told except i did not find spywarebot at add/remove programs, i thought i had already uninstalled that but fixwareout says it's still running?? I see it in HijackThis too, can i fix it from there?
Here are the following logs in order as requested:






From Fixwareout:



Username "Javier" - 10/29/2007 12:20:47 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdodl.exe"
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"SDTray"="\"C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe\""
"SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



From HijackThis:



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:42:12 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Javier\My Documents\New Folder\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191469982443
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7419 bytes



From combofix.txt:



ComboFix 07-10-29.1 - Javier 2007-10-29 12:50:13.2 - NTFSx86
Running from: C:\Documents and Settings\Javier\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
.

2007-10-27 23:52 798 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-27 23:51 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-27 23:51 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-27 23:51 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-27 23:51 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-27 23:51 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-27 23:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 20:49 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-22 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 19:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 19:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-22 18:44 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-22 18:44 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\PC Tools
2007-10-22 18:44 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-22 18:44 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-22 18:44 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-22 18:44 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-22 18:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-22 17:05 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-17 18:52 <DIR> d-------- C:\Program Files\CCleaner
2007-10-17 18:42 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-10-17 18:31 <DIR> d-------- C:\Program Files\Google
2007-10-09 16:54 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-07 20:13 <DIR> d-------- C:\N360_BACKUP
2007-10-07 19:45 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0
2007-10-07 19:45 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-10-07 19:42 983,101 --a------ C:\WINDOWS\system32\LXBKGF.DLL
2007-10-07 19:42 352,256 --a------ C:\WINDOWS\system32\LXBKUTIL.DLL
2007-10-07 19:42 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-10-07 19:42 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-10-07 19:42 69,632 --a------ C:\WINDOWS\system32\lxbkscin.dll
2007-10-07 19:42 57,344 --a------ C:\WINDOWS\system32\lxbkcinf.dll
2007-10-07 19:42 49,152 --a------ C:\WINDOWS\system32\lxbkcoin.dll
2007-10-07 19:42 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-07 19:42 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-07 19:41 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-10-07 19:41 454,656 --a------ C:\WINDOWS\system32\LXBKJSWR.DLL
2007-10-07 19:41 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-07 19:41 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-07 19:40 <DIR> d-------- C:\Documents and Settings\Javier\WINDOWS
2007-10-07 19:40 299,520 --a------ C:\WINDOWS\uninst.exe
2007-10-05 13:06 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-10-04 19:33 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-04 15:46 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\Symantec
2007-10-04 15:04 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-04 15:04 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-04 15:04 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-04 14:23 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\Yahoo!
2007-10-04 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-04 14:14 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-10-04 14:14 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-04 14:05 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-04 14:05 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-04 14:05 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-04 14:05 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-04 14:05 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-04 14:05 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-04 14:05 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-04 14:04 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-10-03 23:21 <DIR> d-------- C:\WINDOWS\peernet
2007-10-03 23:20 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-03 23:05 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-03 22:46 <DIR> d-------- C:\WINDOWS\EHome
2007-10-03 22:32 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-10-03 22:32 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-03 22:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 21:16 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-10-03 21:16 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-10-03 21:16 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-10-03 21:16 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-03 20:56 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-10-03 20:52 <DIR> d--hs---- C:\Documents and Settings\Javier\UserData
2007-10-03 15:22 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-10-03 15:21 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-03 15:21 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-03 15:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-03 07:10 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-03 07:10 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-10-03 07:09 382,592 --a------ C:\WINDOWS\system32\atidrab.dll
2007-10-03 07:09 289,664 --a------ C:\WINDOWS\system32\drivers\atimpab.sys
2007-10-03 07:09 37,376 --a------ C:\WINDOWS\system32\atievxx.exe
2007-10-03 07:09 14,080 --a------ C:\WINDOWS\system32\drivers\cmbatt.sys
2007-10-03 07:09 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2007-10-03 07:09 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-10-03 07:08 701,386 --a------ C:\WINDOWS\system32\drivers\WDHAALBA.sys
2007-10-03 07:08 174,464 --a------ C:\WINDOWS\system32\drivers\es198x.sys
2007-10-03 07:08 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-10-03 07:08 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-10-03 07:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-10-03 07:08 55,999 --a------ C:\WINDOWS\system32\drivers\EL556ND5.sys
2007-10-03 07:08 42,368 --a------ C:\WINDOWS\system32\drivers\agp440.sys
2007-10-03 07:08 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-10-03 07:06 <DIR> dr------- C:\Program Files
2007-10-03 07:05 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-10-03 07:04 <DIR> d-------- C:\Documents and Settings

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-28 05:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-23 04:26 --------- d-----w C:\Program Files\Norton 360
2007-10-05 02:41 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-05 02:41 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-05 02:41 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-05 02:41 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-05 02:41 --------- d-----w C:\Program Files\Symantec
2007-10-03 21:20 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
.

((((((((((((((((((((((((((((( [email protected]_23.25.50.69 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 13:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-26 16:51:17 136,192 ----a-w C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"= C:\Program Files\Video Add-on\ictmdl.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 03:43]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-20 10:59]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdodl.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-29 12:58:47
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-29 13:04:51
C:\ComboFix2.txt ... 2007-10-27 23:28
.
--- E O F ---



From SmitfraudFix.exe:



SmitFraudFix v2.242

Scan done at 13:11:43.46, Mon 10/29/2007
Run from C:\Documents and Settings\Javier\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Javier


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Javier\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Javier\FAVORI~1

C:\DOCUME~1\Javier\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdodl.exe"

kdodl.exe detected !


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 10/100 Mini PCI Ethernet Adapter
DNS Server Search Order: 208.67.220.220
DNS Server Search Order: 208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C61CCA55-C864-43B1-9E9C-A20D8B27C54D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C61CCA55-C864-43B1-9E9C-A20D8B27C54D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C61CCA55-C864-43B1-9E9C-A20D8B27C54D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Joined
Oct 3, 2007
Messages
1,164
Good - you may already see some improvement in less IE redirects now.


Disable Spyware Doctor, as it may interfere with repairs. Please be sure this is disabled when doing any of the steps here.

1. Open Spyware Doctor
2. Click on the 'Settings' button on the left hand panel
3. Then click on the 'Startup Settings' under 'Pick a Category'
4. Uncheck the box on the right that says 'Run at Windows Startup'


Please do the following steps in the following order (as they apply) to disable SpyBot's TeaTimer, as this will interfere with repairs.


Right click on the SpyBot Resident icon in the Taskbar (looks like a lock), and click Exit SpyBot-S&D Resident. Next:

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer (important).
You can re-enable TeaTimer once your system is clean (when all repairs are made).

---------------------------

Go here and download the free version of SUPERAntiSpyware and install it.

After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

Start-up Options:
*Start SUPERAntiSpyware when Windows starts

Automatic Updates:
*Check for program updates when the application starts.
Start-up Scanning:
*Check for updates before scanning on startup.

Then select Close. Don't scan just yet though.


Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

===============================================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. If it does, restart back into Safe Mode to complete the next step.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

-----------------------

Still in Safe Mode Open SUPERAntiSpyware and click the Scan your Computer button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.


SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.

=========================

Run a new ComboFix scan, and post that back here along with a new HijackThis log, the rapport.txt log and the SUPERAntiSpyware log please.
 

0Luna0

Thread Starter
Joined
Oct 25, 2007
Messages
8
Ok so i just uninstalled Spyware Doctor instead, and then continued your instructions. Here are the logs requested:



From ComboFix:



ComboFix 07-10-29.1 - Javier 2007-10-30 17:10:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.280 [GMT -7:00]
Running from: C:\Documents and Settings\Javier\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-30 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-30 15:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-30 15:06 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\SUPERAntiSpyware.com
2007-10-27 23:52 798 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-27 23:51 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-27 23:51 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-27 23:51 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-27 23:51 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-27 23:51 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-27 23:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 20:49 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-22 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 19:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 19:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-22 18:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-22 17:05 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-17 18:52 <DIR> d-------- C:\Program Files\CCleaner
2007-10-17 18:42 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-10-17 18:31 <DIR> d-------- C:\Program Files\Google
2007-10-09 16:54 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-07 20:13 <DIR> d-------- C:\N360_BACKUP
2007-10-07 19:45 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0
2007-10-07 19:45 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-10-07 19:42 983,101 --a------ C:\WINDOWS\system32\LXBKGF.DLL
2007-10-07 19:42 352,256 --a------ C:\WINDOWS\system32\LXBKUTIL.DLL
2007-10-07 19:42 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-10-07 19:42 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-10-07 19:42 69,632 --a------ C:\WINDOWS\system32\lxbkscin.dll
2007-10-07 19:42 57,344 --a------ C:\WINDOWS\system32\lxbkcinf.dll
2007-10-07 19:42 49,152 --a------ C:\WINDOWS\system32\lxbkcoin.dll
2007-10-07 19:42 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-07 19:42 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-07 19:41 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-10-07 19:41 454,656 --a------ C:\WINDOWS\system32\LXBKJSWR.DLL
2007-10-07 19:41 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-07 19:41 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-07 19:40 <DIR> d-------- C:\Documents and Settings\Javier\WINDOWS
2007-10-07 19:40 299,520 --a------ C:\WINDOWS\uninst.exe
2007-10-05 13:06 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-10-04 19:33 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-04 15:46 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\Symantec
2007-10-04 15:04 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-04 15:04 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-04 15:04 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-04 14:23 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\Yahoo!
2007-10-04 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-04 14:14 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-10-04 14:14 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-04 14:05 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-04 14:05 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-04 14:05 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-04 14:05 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-04 14:05 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-04 14:05 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-04 14:05 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-04 14:04 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-10-03 23:21 <DIR> d-------- C:\WINDOWS\peernet
2007-10-03 23:20 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-03 23:05 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-03 22:46 <DIR> d-------- C:\WINDOWS\EHome
2007-10-03 22:32 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-10-03 22:32 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-03 22:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 21:16 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-10-03 21:16 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-10-03 21:16 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-10-03 21:16 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-03 20:56 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-10-03 20:52 <DIR> d--hs---- C:\Documents and Settings\Javier\UserData
2007-10-03 15:22 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-10-03 15:21 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-03 15:21 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-03 15:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-03 07:10 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-03 07:10 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-10-03 07:09 382,592 --a------ C:\WINDOWS\system32\atidrab.dll
2007-10-03 07:09 289,664 --a------ C:\WINDOWS\system32\drivers\atimpab.sys
2007-10-03 07:09 37,376 --a------ C:\WINDOWS\system32\atievxx.exe
2007-10-03 07:09 14,080 --a------ C:\WINDOWS\system32\drivers\cmbatt.sys
2007-10-03 07:09 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2007-10-03 07:09 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-10-03 07:08 701,386 --a------ C:\WINDOWS\system32\drivers\WDHAALBA.sys
2007-10-03 07:08 174,464 --a------ C:\WINDOWS\system32\drivers\es198x.sys
2007-10-03 07:08 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-10-03 07:08 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-10-03 07:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-10-03 07:08 55,999 --a------ C:\WINDOWS\system32\drivers\EL556ND5.sys
2007-10-03 07:08 42,368 --a------ C:\WINDOWS\system32\drivers\agp440.sys
2007-10-03 07:08 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-10-03 07:06 <DIR> dr------- C:\Program Files
2007-10-03 07:05 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 22:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-30 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-23 04:26 --------- d-----w C:\Program Files\Norton 360
2007-10-05 02:41 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-05 02:41 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-05 02:41 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-05 02:41 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-05 02:41 --------- d-----w C:\Program Files\Symantec
2007-10-03 21:20 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-17 19:21 186,256 ----a-w C:\WINDOWS\system32\SymNPPWA.dll
2007-07-09 13:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( [email protected]_23.25.50.69 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 13:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-26 16:51:17 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 22:07:05 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-30 22:07:05 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-30 22:07:05 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 03:43]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-20 10:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 17:13:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 17:15:03
C:\ComboFix2.txt ... 2007-10-29 13:04
C:\ComboFix3.txt ... 2007-10-27 23:28
.
--- E O F ---



From HijackThis:



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:34:44 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Javier\My Documents\New Folder\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191469982443
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6097 bytes



From rapport.txt:



SmitFraudFix v2.242

Scan done at 15:44:56.23, Tue 10/30/2007
Run from C:\Documents and Settings\Javier\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\Javier\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C61CCA55-C864-43B1-9E9C-A20D8B27C54D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C61CCA55-C864-43B1-9E9C-A20D8B27C54D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{07B653FC-6034-4476-B105-66B25565ABC0}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C61CCA55-C864-43B1-9E9C-A20D8B27C54D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdodl.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\kdodl.exe Deleted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» End



From SUPERAntiSpyware:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/30/2007 at 04:56 PM

Application Version : 3.9.1008

Core Rules Database Version : 3333
Trace Rules Database Version: 1334

Scan type : Complete Scan
Total Scan Time : 01:01:25

Memory items scanned : 167
Memory threats detected : 0
Registry items scanned : 3458
Registry threats detected : 3
File items scanned : 27346
File threats detected : 5

Unclassified.SpywareBot (Not A Threat)
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#spywarebot [ C:\Program Files\SpywareBot\SpywareBot.exe -boot ]

Malware.VirusRanger
HKLM\Software\VirusRanger
HKLM\Software\VirusRanger#aid

Browser Hijacker.Favorites
C:\N360_BACKUP\DRIVE_C\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\ONLINE SECURITY GUIDE.URL
C:\N360_BACKUP\DRIVE_C\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\SECURITY TROUBLESHOOTING.URL
C:\N360_BACKUP\DRIVE_C\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\ONLINE SECURITY GUIDE.URL
C:\N360_BACKUP\DRIVE_C\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\SECURITY TROUBLESHOOTING.URL
C:\N360_BACKUP\DRIVE_C\DOCUMENTS AND SETTINGS\JAVIER\FAVORITES\ONLINE SECURITY TEST.URL
 
Joined
Oct 3, 2007
Messages
1,164
Good, and it removed the hidden DNS Changer file as well.


Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"


Then Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)" and post that log back here please.
 

0Luna0

Thread Starter
Joined
Oct 25, 2007
Messages
8
Okay,

Here is the Scan:



Tuesday, October 30, 2007 11:41:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/10/2007
Kaspersky Anti-Virus database records: 449097


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 34928
Number of viruses found 10
Number of infected objects 15
Number of suspicious objects 0
Duration of the scan process 01:18:59

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\68AB57F4.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\Javier\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Javier\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Javier\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Javier\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Javier\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Javier\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Javier\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Javier\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Javier\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Javier\Local Settings\History\History.IE5\MSHist012007103020071031\index.dat Object is locked skipped

C:\Documents and Settings\Javier\Local Settings\Temp\~DF1E5B.tmp Object is locked skipped

C:\Documents and Settings\Javier\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Javier\Local Settings\Temporary Internet Files\Content.IE5\8BSIOS0Q\ad[3].htm Object is locked skipped

C:\Documents and Settings\Javier\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Javier\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Javier\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6Y7CV5UL\index[1].htm Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped

C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped

C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped

C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped

C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped

C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped

C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped

C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped

C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped

C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped

C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped

C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped

C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped

C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped

C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP130\A0025818.dll Infected: Trojan-Downloader.Win32.Zlob.dsu skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP130\A0025819.exe Infected: Trojan-Downloader.Win32.Zlob.dsx skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP131\A0025824.exe Infected: Trojan-Downloader.Win32.Zlob.dsw skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP132\A0025832.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.c skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP133\A0025944.exe Infected: Trojan-Downloader.Win32.Zlob.dss skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP133\A0025945.dll Infected: Trojan-Downloader.Win32.Zlob.dsv skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP133\A0025946.dll Infected: Trojan-Downloader.Win32.Zlob.dsu skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP133\A0025947.exe Infected: Trojan-Downloader.Win32.Zlob.dsx skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP133\A0025948.exe Infected: Trojan-Downloader.Win32.Zlob.dsn skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP133\A0025952.exe Infected: not-a-virus:FraudTool.Win32.AntiVirGear.f skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP134\A0028068.dll Infected: Trojan-Downloader.Win32.Bojo.n skipped

C:\System Volume Information\_restore{8D6C9219-3E3B-4A01-BC17-C7AC21512408}\RP137\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\TEMP\JET6539.tmp Object is locked skipped

C:\WINDOWS\TEMP\JET6633.tmp Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Joined
Oct 3, 2007
Messages
1,164
Looks good - normally locked system functions, our tools and some infection held harmless in System Restore (unless a restore is done at least). One suspect item in the IE temp files, so be sure to close IE and run ATF Cleaner. Before we do some final cleaning up are there any issues at this time?
 

0Luna0

Thread Starter
Joined
Oct 25, 2007
Messages
8
Ok it's done. The computer seems fine now, it's running a lot faster than before.
So where it said 10 virus found and 15 infected, are those things old? haha im sorry,
i dont know what the hell im saying >_<
 
Joined
Oct 3, 2007
Messages
1,164
Like I mentioned tools we used (misidentified as infection) and System Restore items, which you will be clearing out now. Good things are going well there.


You can delete the SmitFraudFix folder and any of that tool's files. Also to have ComboFix do a self-cleanup go to Start - Run, type the following (and Enter):

ComboFix /u

This will remove it's files/folders and restore some settings it changed.

Then just need to reset the Restore Points. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
 

0Luna0

Thread Starter
Joined
Oct 25, 2007
Messages
8
Alright thanks a lot for the help Jintan:)
I really appreciated it!!!
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
117,432
I've edited the title of your thread. Please be mindful of your language. :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top