1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: HJT - Clean?

Discussion in 'Virus & Other Malware Removal' started by jrdavid68, Jul 18, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. jrdavid68

    jrdavid68 Thread Starter

    Joined:
    Jun 17, 2004
    Messages:
    112
    Here's a HJT log from one of the PC's in my wife's office that was having some issues. Does it look clean? Thanks.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:22:50 PM, on 7/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\atmclk.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


    Thanks again,
     
  2. happyrck

    happyrck

    Joined:
    Feb 17, 2006
    Messages:
    3,202
    I'm pretty sure you have a smitfraud infection there...wait on the log pros
     
  3. happyrck

    happyrck

    Joined:
    Feb 17, 2006
    Messages:
    3,202
    it also doesn't look like you have a firewall...
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,048
    That is not a complete log. Please copy and paste the entire log.
     
  5. jrdavid68

    jrdavid68 Thread Starter

    Joined:
    Jun 17, 2004
    Messages:
    112
    Just had the wife run HJT again and email me the log. Here it is:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:45:05 AM, on 7/19/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\atmclk.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


    Thanks.
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,048
    It doesn't make sense that there would be nothing else so let's take a look at a WinpFind log.

    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don’t do anything with it yet!


    Click here for info on how to boot to safe mode if you don't already know how.


    Reboot into Safe Mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    Reboot back to Normal Mode!


    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
     
  7. jrdavid68

    jrdavid68 Thread Starter

    Joined:
    Jun 17, 2004
    Messages:
    112
    Thanks again for the help. Here's the WinPFind.txt info:

    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...

    Checking %System% folder...
    PEC2 8/12/2004 6:18:34 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
    aspack 7/6/2006 6:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
    UPX! 12/16/2005 3:49:46 PM 59492 C:\WINDOWS\SYSTEM32\mzoeut.dll
    aspack 8/12/2004 6:25:08 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 8/12/2004 6:26:58 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    UPX! 10/28/2003 4:04:20 PM 724952 C:\WINDOWS\SYSTEM32\sg20.ocx
    UPX! 10/28/2003 4:04:28 PM 733656 C:\WINDOWS\SYSTEM32\sg20o.ocx
    UPX! 10/28/2003 4:04:36 PM 731608 C:\WINDOWS\SYSTEM32\sg20ou.ocx
    UPX! 10/28/2003 4:04:32 PM 722904 C:\WINDOWS\SYSTEM32\sg20u.ocx
    winsync 8/12/2004 6:32:46 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
    PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

    Checking %System%\Drivers folder and sub-folders...

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    7/19/2006 11:50:08 AM S 2048 C:\WINDOWS\bootstat.dat
    7/19/2006 9:57:54 AM H 0 C:\WINDOWS\LastGood\INF\oem14.inf
    7/19/2006 9:57:54 AM H 0 C:\WINDOWS\LastGood\INF\oem14.PNF
    5/29/2006 9:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
    6/1/2006 1:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
    6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
    7/19/2006 11:50:00 AM H 8192 C:\WINDOWS\system32\config\default.LOG
    7/19/2006 11:50:26 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
    7/19/2006 11:50:08 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
    7/19/2006 11:50:28 AM H 81920 C:\WINDOWS\system32\config\software.LOG
    7/19/2006 11:50:14 AM H 868352 C:\WINDOWS\system32\config\system.LOG
    7/12/2006 5:00:32 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
    7/12/2006 5:06:32 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bfb61d8f-7146-4cb8-ab08-7a2ed46e7af3
    7/12/2006 5:06:32 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
    7/19/2006 11:49:06 AM H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    Microsoft Corporation 8/12/2004 6:17:16 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Microsoft Corporation 8/12/2004 6:17:22 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Microsoft Corporation 8/12/2004 6:17:34 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Microsoft Corporation 8/12/2004 6:18:34 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 8/12/2004 6:19:12 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 8/12/2004 6:19:32 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Intel Corporation 10/14/2005 2:49:18 PM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
    Microsoft Corporation 8/12/2004 6:20:02 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 8/12/2004 6:20:08 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 8/12/2004 6:20:18 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 8/12/2004 6:20:24 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems, Inc. 11/10/2005 2:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 8/12/2004 6:21:22 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 8/12/2004 6:22:12 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 8/12/2004 6:24:06 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 8/12/2004 6:24:40 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 8/12/2004 6:25:20 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 8/12/2004 6:25:22 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
    Microsoft Corporation 8/12/2004 6:25:36 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 8/12/2004 6:26:26 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    Microsoft Corporation 8/12/2004 6:30:28 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 8/12/2004 6:30:52 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 8/12/2004 6:30:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 8/12/2004 6:34:42 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 8/12/2004 6:17:16 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
    Microsoft Corporation 8/12/2004 6:17:22 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
    Microsoft Corporation 8/12/2004 6:18:34 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
    Microsoft Corporation 8/12/2004 6:19:12 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
    Microsoft Corporation 8/12/2004 6:19:32 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
    Microsoft Corporation 8/12/2004 6:20:02 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
    Microsoft Corporation 8/12/2004 6:20:08 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
    Microsoft Corporation 8/12/2004 6:20:24 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
    Microsoft Corporation 8/12/2004 6:21:22 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
    Microsoft Corporation 8/12/2004 6:22:12 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
    Microsoft Corporation 8/12/2004 6:24:06 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
    Microsoft Corporation 8/12/2004 6:24:40 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
    Microsoft Corporation 8/12/2004 6:25:20 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
    Microsoft Corporation 8/12/2004 6:25:22 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
    Microsoft Corporation 8/12/2004 6:25:36 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
    Microsoft Corporation 8/12/2004 6:26:26 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
    Microsoft Corporation 8/12/2004 6:27:44 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
    Microsoft Corporation 8/12/2004 6:30:28 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
    Microsoft Corporation 8/12/2004 6:30:52 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
    Microsoft Corporation 8/12/2004 6:30:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
    Microsoft Corporation 8/12/2004 6:34:42 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
    Intel Corporation 10/14/2005 2:49:18 PM 77824 C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\igfxcpl.cpl
    Intel Corporation 1/23/2005 10:33:44 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\igfxcpl.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    12/18/2004 9:44:52 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    12/18/2004 1:32:14 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

    Checking files in %USERPROFILE%\Startup folder...
    12/18/2004 9:44:52 PM HS 84 C:\Documents and Settings\User03\Start Menu\Programs\Startup\desktop.ini

    Checking files in %USERPROFILE%\Application Data folder...
    12/18/2004 1:32:14 PM HS 62 C:\Documents and Settings\User03\Application Data\desktop.ini

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
    {cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
    {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VirusScan
    {cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
    {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\VirusScan
    {cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
    {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\system32\shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\system32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL Installed = 1
    MAPI Installed = 1
    MSFS Installed = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
    wininet.dll regperf.exe
    dcomcfg.exe dcomcfg.exe
    kernel32.dll C:\WINDOWS\system32\atmclk.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
    {17492023-C23A-453E-A040-C7C580BBF700} 1

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun 145


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    = WgaLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 7/19/2006 11:56:39 AM
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,048
    That is one very small log and there's nothing disabled. Alright, here we go then.

    Please download SmitfraudFix (by S!Ri)

    Extract (unzip) the content (a folder named SmitfraudFix) to your Desktop. This is imperative for the tool to function properly. If using a utility such as winzip you will have to direct it there as it will not unzip to the desktop by default. The desination location should look like this (C: being your primary drive): C:\Documents and Settings\User\Desktop\SmitfraudFix

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  9. jrdavid68

    jrdavid68 Thread Starter

    Joined:
    Jun 17, 2004
    Messages:
    112
    Thanks Cookiegal,

    Here's that report:

    SmitFraudFix v2.74

    Scan done at 16:48:59.00, Wed 07/19/2006
    Run from C:\Documents and Settings\User03\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\mzoeut.dll FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\simpole.tlb FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User03\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User03\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,048
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
     
  11. jrdavid68

    jrdavid68 Thread Starter

    Joined:
    Jun 17, 2004
    Messages:
    112
    Cookie - sorry for the delay. Here are the reports:

    HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:30:48 AM, on 7/21/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Network Associates\VirusScan\shstat.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

    rapport.txt:
    SmitFraudFix v2.74

    Scan done at 16:48:59.00, Wed 07/19/2006
    Run from C:\Documents and Settings\User03\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\mzoeut.dll FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\simpole.tlb FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User03\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User03\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,048
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
     
  13. jrdavid68

    jrdavid68 Thread Starter

    Joined:
    Jun 17, 2004
    Messages:
    112
    Cookiegal - Sorry, I guess I was in a hurry Friday and posted the wrong rapport.txt file:

    Here is the correct one:

    SmitFraudFix v2.74

    Scan done at 13:32:18.54, Thu 07/20/2006
    Run from C:\Documents and Settings\User03\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\mzoeut.dll Deleted
    C:\WINDOWS\system32\ot.ico Deleted
    C:\WINDOWS\system32\simpole.tlb Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\WINDOWS\system32\ts.ico Deleted
    C:\WINDOWS\system32\1024\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,048
    Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.



    • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run Ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
    • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

    Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


    • Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
      IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
    • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • Ewido will now begin the scanning process. Be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close Ewido and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.
     
  15. jrdavid68

    jrdavid68 Thread Starter

    Joined:
    Jun 17, 2004
    Messages:
    112
    Cookiegal - thanks again for everything. Below are the logs the wife sent me - she forgot to include a fresh hjt log. I will try to get that.

    Activescan.txt:

    Incident Status Location

    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-343066eb-3e32e060.zip[BlackBox.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-343066eb-3e32e060.zip[VB.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-343066eb-3e32e060.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-343066eb-3e32e060.zip[Beyond.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3de836bf-77f501da.zip[BlackBox.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3de836bf-77f501da.zip[VB.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3de836bf-77f501da.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3de836bf-77f501da.zip[Beyond.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-45dab52b.zip[Mein.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-45dab52b.zip[ProbeLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-45dab52b.zip[Dummy.class]
    Virus:Trojan Horse Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-45dab52b.zip[Beyond.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-68ef3462-66203218.zip[Mein.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-68ef3462-66203218.zip[ProbeLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-68ef3462-66203218.zip[Dummy.class]
    Virus:Trojan Horse Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-68ef3462-66203218.zip[Beyond.class]
    Virus:Trj/Shinwow.D Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-68ef3462-66203218.zip[binny/binny.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-784eb7c7-41958799.zip[Mein.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-784eb7c7-41958799.zip[ProbeLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-784eb7c7-41958799.zip[Dummy.class]
    Virus:Trojan Horse Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-784eb7c7-41958799.zip[Beyond.class]
    Virus:Trj/Shinwow.D Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-784eb7c7-41958799.zip[binny/binny.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-456838ae-6a392032.zip[GetAccess.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-456838ae-6a392032.zip[InsecureClassLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-456838ae-6a392032.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-456838ae-6a392032.zip[Installer.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7ec726e3-3d27ab66.zip[GetAccess.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7ec726e3-3d27ab66.zip[InsecureClassLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7ec726e3-3d27ab66.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7ec726e3-3d27ab66.zip[Installer.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-73ff5790.zip[GetAccess.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-73ff5790.zip[InsecureClassLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-73ff5790.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-73ff5790.zip[Installer.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fda7c69-1adc347b.zip[GetAccess.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fda7c69-1adc347b.zip[InsecureClassLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fda7c69-1adc347b.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User03\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fda7c69-1adc347b.zip[Installer.class]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\User03\Cookies\[email protected][1].txt
    Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\User03\Cookies\[email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\User03\Cookies\[email protected][1].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User03\Desktop\SmitfraudFix\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User03\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 12:25:28 PM 7/25/2006

    + Scan result:



    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{f7d40011-29bb-43eb-9c97-875ce89e9e36} -> Adware.Generic : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
    C:\Documents and Settings\User03\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


    ::Report end

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 2:30:12 PM 7/25/2006

    + Scan result:



    C:\Documents and Settings\User03\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).


    ::Report end

    Thanks again.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/484360

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice