1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware or Trojan Problem

Discussion in 'Virus & Other Malware Removal' started by wtowers, Feb 10, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. wtowers

    wtowers Thread Starter

    Joined:
    Jun 14, 2004
    Messages:
    101
    Recently began to experience possible spyware or Trojan problem. IE keeps being automatically opened and redirected to Online-Security-Center.com page for Spy Soldier. Attached is a Hijack This log. Any help would be appreciated.
     

    Attached Files:

  2. bonk

    bonk Banned

    Joined:
    Sep 8, 2005
    Messages:
    11,097
    You will get more notice posting it like this

    Logfile of HijackThis v1.99.1
    Scan saved at 10:52:57 AM, on 2/10/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\msmapi32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    N2 - Netscape 6: # Mozilla User Preferences
    // This is a generated file!

    user_pref("browser.cache.directory", "C:\\Documents and Settings\\Bill Towers\\Application Data\\Mozilla\\Profiles\\default\\5xxyzn1l.slt\\Cache");
    user_pref("browser.history.last_page_visited", "http://fantasygames.sandboxplus.com/2000/baseball/reports/leaguehome.asp?leaguenum=9370");
    user_pref("browser.search.defaultengine", "http://www.google.com/");
    user_pref("browser.startup.homepage_override.1", false);
    user_pref("general.useragent.contentlocale", "");
    user_pref("intl.charsetmenu.browser.cache", "windows-1252");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("security.warn_entering_secure", false);
    user_pref("security.warn_leaving_secure", false);
    user_pref("security.warn_viewing_mixed", false);
    user_pref("signon.SignonFileName", "63249813.s");
    user_pref("timebomb.first_launch_time", "1063249322968000");
    user_pref("wallet.SchemaValueFileName", "86538123.w");
    user_pref("wallet.caveat", true);
    user_pref("browser.helperApps.ne
    O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
    O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
    O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
    O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
    O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
    O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
    O2 - BHO: (no name) - {1b68470c-2def-493b-8a4a-8e2d81be4ea5} - (no file)
    O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file)
    O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
    O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
    O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - (no file)
    O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
    O2 - BHO: (no name) - {2e246fae-8420-11d9-870d-000c2917de7f} - (no file)
    O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
    O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
    O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - (no file)
    O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
    O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
    O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
    O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
    O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
    O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
    O2 - BHO: (no name) - {9c5875b8-93f3-429d-ff34-660b206d897a} - (no file)
    O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
    O2 - BHO: (no name) - {a6f42cad-2559-48df-af30-89e480af5dfa} - (no file)
    O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
    O2 - BHO: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
    O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
    O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
    O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
    O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
    O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
    O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
    O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
    O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
    O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
    O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
    O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
    O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file)
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://secure.sunterra.com/US/downloads/svideo3.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h20179.www2.hp.com/psgna/caller/SysQuery.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9407C7A-EF07-4988-B9AD-F293A7B776B7}: NameServer = 24.217.0.5,24.217.0.55
    O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
    O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi wtowers, Please do this:

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  4. wtowers

    wtowers Thread Starter

    Joined:
    Jun 14, 2004
    Messages:
    101
    SmitFraudFix v2.81

    Scan done at 13:00:46.31, Sat 02/10/2007
    Run from C:\Documents and Settings\Bill Towers\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\kernels64.exe FOUND !
    C:\WINDOWS\system32\msvol.tlb FOUND !
    C:\WINDOWS\system32\ncompat.tlb FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\vxgamet?.exe FOUND !
    C:\WINDOWS\system32\vxh8jkdq?.exe FOUND !
    C:\WINDOWS\system32\winmuse.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill Towers\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BILLTO~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I would prefer you downloaded the newer version of SmitFraudFix, unzip and extract it to the Desktop. You should simply delete the old copy you have now.

    Then, run the steps I had below for the new version they are exactly the same. This new version checks for more things like rootkits which you can have!

    I just had another person use the same download link, and it showed as: v2.141
     
  6. wtowers

    wtowers Thread Starter

    Joined:
    Jun 14, 2004
    Messages:
    101
    Sorry, I had downloaded newest version, guess I unzipped it into a different directory.

    SmitFraudFix v2.141

    Scan done at 16:05:39.37, Sat 02/10/2007
    Run from C:\Program Files\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    C:\WINDOWS\accesss.exe FOUND !
    C:\WINDOWS\astctl32.ocx FOUND !
    C:\WINDOWS\avpcc.dll FOUND !
    C:\WINDOWS\clrssn.exe FOUND !
    C:\WINDOWS\cpan.dll FOUND !
    C:\WINDOWS\dialup.exe FOUND !
    C:\WINDOWS\inetdctr.dll FOUND !
    C:\WINDOWS\mtwirl32.dll FOUND !
    C:\WINDOWS\notepad32.exe FOUND !
    C:\WINDOWS\olehelp.exe FOUND !
    C:\WINDOWS\runwin32.exe FOUND !
    C:\WINDOWS\spp3.dll FOUND !
    C:\WINDOWS\systeem.exe FOUND !
    C:\WINDOWS\systemcritical.exe FOUND !
    C:\WINDOWS\time.exe FOUND !
    C:\WINDOWS\users32.exe FOUND !
    C:\WINDOWS\waol.exe FOUND !
    C:\WINDOWS\win32e.exe FOUND !
    C:\WINDOWS\win64.exe FOUND !
    C:\WINDOWS\winajbm.dll FOUND !
    C:\WINDOWS\window.exe FOUND !
    C:\WINDOWS\wininet32.exe FOUND !
    C:\WINDOWS\winmgnt.exe FOUND !
    C:\WINDOWS\x.exe FOUND !
    C:\WINDOWS\xplugin.dll FOUND !
    C:\WINDOWS\xxxvideo.hta FOUND !
    C:\WINDOWS\y.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\ace16win.dll FOUND !
    C:\WINDOWS\system32\anti_troj.exe FOUND !
    C:\WINDOWS\system32\dload.exe FOUND !
    C:\WINDOWS\system32\iewd.exe FOUND !
    C:\WINDOWS\system32\kernels64.exe FOUND !
    C:\WINDOWS\system32\lfd.dat FOUND !
    C:\WINDOWS\system32\mpsegment.exe FOUND !
    C:\WINDOWS\system32\msmapi32.exe FOUND !
    C:\WINDOWS\system32\msmsn.exe FOUND !
    C:\WINDOWS\system32\msvol.tlb FOUND !
    C:\WINDOWS\system32\ncompat.tlb FOUND !
    C:\WINDOWS\system32\netstat2.exe FOUND !
    C:\WINDOWS\system32\oiso.bin FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\pcf.pdf FOUND !
    C:\WINDOWS\system32\perfont.exe FOUND !
    C:\WINDOWS\system32\performent202.dll FOUND !
    C:\WINDOWS\system32\POPCORN72.EXE FOUND !
    C:\WINDOWS\system32\proqlaim.exe FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\vxgamet?.exe FOUND !
    C:\WINDOWS\system32\vxh8jkdq?.exe FOUND !
    C:\WINDOWS\system32\win32hp.dll FOUND !
    C:\WINDOWS\system32\winmuse.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill Towers


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill Towers\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BILLTO~1\FAVORI~1

    C:\DOCUME~1\BILLTO~1\FAVORI~1\Online Security Test.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Let's run the second part of the fix:

    Copy these steps to a Notepad text file and save it as steps.txt to your desktop, or print them, as you will not be able to get online while working in Safe Mode (and, please do
    not use Safe Mode with Networking for this fix!)

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.


    Next:

    HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Post the second SmitFraudFix log, the Panda log, and then a new Hijackthis log please. You can do the SmitFraudfix one now, and go start the Panda scan, and come back and post those other two when you can.
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    WHOA......hold up there!

    You have it running from Program Files now. Desktop is where you run smitfraudfix from.....
    there just is no other way!

    Let's start again, but want to notify you so I will be posting more to this area....refresh your browser to see new info.


    Let's try again. From the downloaded SmitFraudfix .zip folder (the one with the watchband like thing on it, the .zip folder....right click it, and from the menu you see, select "Extract All"> and then, a wizard window should come up, in the Select Destination box, scroll down as sometimes the Desktop directory, which is the first or highest in the list is hidden up above the rest, click "Desktop" and click "OK"so the new SmitFraudfix folder that is being created, comes up right onto your desktop background> then open that new folder, and find smitfraudfix.cmd and double click it to start the tool.

    Follow the prompts to press any key.....then press 1 to "Search" as we are doing it all new.

    After you have a log come up, close the log after you save a copy I suggest also to the desktop, but by default a copy is also at C:\rapport.txt so dont worry.

    Next: boot to safe mode to complete the second part of the fix.
    double click smitfraudfix.cmd to start the tool, and this time select "2" Clean.

    And follow the steps from my other reply for the second part. You will need to have them with you in Safe Mode so print them or save the steps to a Notepad text file, name it steps.txt on your desktop so you can read them in Safe Mode.



    in the space that shows where the files will extract to, make sure it says Run from C:\Documents and Settings\Bill Towers\Desktop\SmitfraudFix
     
  9. wtowers

    wtowers Thread Starter

    Joined:
    Jun 14, 2004
    Messages:
    101
    SmitFraudFix v2.141

    Scan done at 16:43:29.48, Sat 02/10/2007
    Run from C:\Documents and Settings\Bill Towers\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    C:\WINDOWS\accesss.exe FOUND !
    C:\WINDOWS\astctl32.ocx FOUND !
    C:\WINDOWS\avpcc.dll FOUND !
    C:\WINDOWS\clrssn.exe FOUND !
    C:\WINDOWS\cpan.dll FOUND !
    C:\WINDOWS\dialup.exe FOUND !
    C:\WINDOWS\inetdctr.dll FOUND !
    C:\WINDOWS\mtwirl32.dll FOUND !
    C:\WINDOWS\notepad32.exe FOUND !
    C:\WINDOWS\olehelp.exe FOUND !
    C:\WINDOWS\runwin32.exe FOUND !
    C:\WINDOWS\spp3.dll FOUND !
    C:\WINDOWS\systeem.exe FOUND !
    C:\WINDOWS\systemcritical.exe FOUND !
    C:\WINDOWS\time.exe FOUND !
    C:\WINDOWS\users32.exe FOUND !
    C:\WINDOWS\waol.exe FOUND !
    C:\WINDOWS\win32e.exe FOUND !
    C:\WINDOWS\win64.exe FOUND !
    C:\WINDOWS\winajbm.dll FOUND !
    C:\WINDOWS\window.exe FOUND !
    C:\WINDOWS\wininet32.exe FOUND !
    C:\WINDOWS\winmgnt.exe FOUND !
    C:\WINDOWS\x.exe FOUND !
    C:\WINDOWS\xplugin.dll FOUND !
    C:\WINDOWS\xxxvideo.hta FOUND !
    C:\WINDOWS\y.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\ace16win.dll FOUND !
    C:\WINDOWS\system32\anti_troj.exe FOUND !
    C:\WINDOWS\system32\dload.exe FOUND !
    C:\WINDOWS\system32\iewd.exe FOUND !
    C:\WINDOWS\system32\kernels64.exe FOUND !
    C:\WINDOWS\system32\lfd.dat FOUND !
    C:\WINDOWS\system32\mpsegment.exe FOUND !
    C:\WINDOWS\system32\msmapi32.exe FOUND !
    C:\WINDOWS\system32\msmsn.exe FOUND !
    C:\WINDOWS\system32\msvol.tlb FOUND !
    C:\WINDOWS\system32\ncompat.tlb FOUND !
    C:\WINDOWS\system32\netstat2.exe FOUND !
    C:\WINDOWS\system32\oiso.bin FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\pcf.pdf FOUND !
    C:\WINDOWS\system32\perfont.exe FOUND !
    C:\WINDOWS\system32\performent202.dll FOUND !
    C:\WINDOWS\system32\POPCORN72.EXE FOUND !
    C:\WINDOWS\system32\proqlaim.exe FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\vxgamet?.exe FOUND !
    C:\WINDOWS\system32\vxh8jkdq?.exe FOUND !
    C:\WINDOWS\system32\win32hp.dll FOUND !
    C:\WINDOWS\system32\winmuse.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill Towers


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill Towers\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BILLTO~1\FAVORI~1

    C:\DOCUME~1\BILLTO~1\FAVORI~1\Online Security Test.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Thank you! Now run the second part.

    Copy these steps to a Notepad text file and save it as steps.txt to your desktop, or print them, as you will not be able to get online while working in Safe Mode (and, please do
    not use Safe Mode with Networking for this fix!)

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
     
  11. wtowers

    wtowers Thread Starter

    Joined:
    Jun 14, 2004
    Messages:
    101
    SmitFraudFix v2.141

    Scan done at 17:11:49.35, Sat 02/10/2007
    Run from C:\Documents and Settings\Bill Towers\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\accesss.exe Deleted
    C:\WINDOWS\astctl32.ocx Deleted
    C:\WINDOWS\avpcc.dll Deleted
    C:\WINDOWS\clrssn.exe Deleted
    C:\WINDOWS\cpan.dll Deleted
    C:\WINDOWS\dialup.exe Deleted
    C:\WINDOWS\inetdctr.dll Deleted
    C:\WINDOWS\mtwirl32.dll Deleted
    C:\WINDOWS\notepad32.exe Deleted
    C:\WINDOWS\olehelp.exe Deleted
    C:\WINDOWS\runwin32.exe Deleted
    C:\WINDOWS\spp3.dll Deleted
    C:\WINDOWS\systeem.exe Deleted
    C:\WINDOWS\systemcritical.exe Deleted
    C:\WINDOWS\time.exe Deleted
    C:\WINDOWS\users32.exe Deleted
    C:\WINDOWS\waol.exe Deleted
    C:\WINDOWS\win32e.exe Deleted
    C:\WINDOWS\win64.exe Deleted
    C:\WINDOWS\winajbm.dll Deleted
    C:\WINDOWS\window.exe Deleted
    C:\WINDOWS\wininet32.exe Deleted
    C:\WINDOWS\winmgnt.exe Deleted
    C:\WINDOWS\x.exe Deleted
    C:\WINDOWS\xplugin.dll Deleted
    C:\WINDOWS\xxxvideo.hta Deleted
    C:\WINDOWS\y.exe Deleted
    C:\WINDOWS\system32\ace16win.dll Deleted
    C:\WINDOWS\system32\anti_troj.exe Deleted
    C:\WINDOWS\system32\dload.exe Deleted
    C:\WINDOWS\system32\iewd.exe Deleted
    C:\WINDOWS\system32\kernels64.exe Deleted
    C:\WINDOWS\system32\lfd.dat Deleted
    C:\WINDOWS\system32\mpsegment.exe Deleted
    C:\WINDOWS\system32\msmapi32.exe Deleted
    C:\WINDOWS\system32\msmsn.exe Deleted
    C:\WINDOWS\system32\msvol.tlb Deleted
    C:\WINDOWS\system32\ncompat.tlb Deleted
    C:\WINDOWS\system32\netstat2.exe Deleted
    C:\WINDOWS\system32\oiso.bin Deleted
    C:\WINDOWS\system32\ot.ico Deleted
    C:\WINDOWS\system32\pcf.pdf Deleted
    C:\WINDOWS\system32\perfont.exe Deleted
    C:\WINDOWS\system32\performent202.dll Deleted
    C:\WINDOWS\system32\POPCORN72.EXE Deleted
    C:\WINDOWS\system32\proqlaim.exe Deleted
    C:\WINDOWS\system32\ts.ico Deleted
    C:\WINDOWS\system32\vxgamet?.exe Deleted
    C:\WINDOWS\system32\vxh8jkdq?.exe Deleted
    C:\WINDOWS\system32\win32hp.dll Deleted
    C:\WINDOWS\system32\winmuse.exe Deleted
    C:\DOCUME~1\BILLTO~1\FAVORI~1\Online Security Test.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End


    Active Scan Log is attached......



    Logfile of HijackThis v1.99.1
    Scan saved at 6:55:17 PM, on 2/10/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    N2 - Netscape 6: # Mozilla User Preferences
    // This is a generated file!

    user_pref("browser.cache.directory", "C:\\Documents and Settings\\Bill Towers\\Application Data\\Mozilla\\Profiles\\default\\5xxyzn1l.slt\\Cache");
    user_pref("browser.history.last_page_visited", "http://fantasygames.sandboxplus.com/2000/baseball/reports/leaguehome.asp?leaguenum=9370");
    user_pref("browser.search.defaultengine", "http://www.google.com/");
    user_pref("browser.startup.homepage_override.1", false);
    user_pref("general.useragent.contentlocale", "");
    user_pref("intl.charsetmenu.browser.cache", "windows-1252");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("security.warn_entering_secure", false);
    user_pref("security.warn_leaving_secure", false);
    user_pref("security.warn_viewing_mixed", false);
    user_pref("signon.SignonFileName", "63249813.s");
    user_pref("timebomb.first_launch_time", "1063249322968000");
    user_pref("wallet.SchemaValueFileName", "86538123.w");
    user_pref("wallet.caveat", true);
    user_pref("browser.helperApps.ne
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9407C7A-EF07-4988-B9AD-F293A7B776B7}: NameServer = 24.217.0.5,24.217.0.55
    O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
    O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     

    Attached Files:

  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Now we need to see this log:

    Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here
     
  13. wtowers

    wtowers Thread Starter

    Joined:
    Jun 14, 2004
    Messages:
    101
    2001 TurboTax Deluxe
    ABBYY FineReader 5.0 Sprint Plus
    Ad-aware 6 Personal
    Adobe Acrobat 4.0
    Adobe Acrobat 5.0
    Adobe Reader 7.0.8
    AIM Toolbar
    America Online
    AncestryView
    AOL Instant Messenger
    AOL Toolbar 2.0
    ArcSoft PhotoImpression
    Baldur's Gate(TM) II - Shadows of Amn(TM)
    Bonjour
    Britannica 2001 Standard Edition CD-ROM
    Caesar 3 Demo
    CCScore
    Charter Solution Controls Installation
    Coloreal
    Command & Conquer Generals
    Command and ConquerTM Generals Zero Hour
    Compaq Advisor
    Compaq IJ650 Inkjet Printer
    Compaq Wallpaper
    Compaq WinDVD
    CompuServe 2000
    Easy CD Creator 5 Basic
    Encarta Online
    EPSON Copy Utility
    EPSON EIC CX5400
    EPSON Photo Print
    EPSON Printer Software
    EPSON Scan
    EPSON Smart Panel
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESShelp
    ESSini
    ESSPCD
    ESSPDock
    ESSSONIC
    ESSTOOLS
    essvatgt
    essvcpt
    Family Tree Maker
    Family Tree Maker 2006
    Football SMARTs
    Football SMARTs
    Guild Wars
    Heroes of Might and Magic III Complete
    HijackThis 1.99.1
    HLPPDOCK
    InterVideo Installer
    iPhoto Plus 4
    iPod Update 2004-04-28
    ItsDeductible Express
    Java 2 Runtime Environment Standard Edition v1.3.1_11
    Java 2 Runtime Environment, SE v1.4.2
    Java 2 Runtime Environment, SE v1.4.2_03
    Kali95
    Kaspersky Online Scanner
    kgcbaby
    kgcbase
    kgchday
    kgchlwn
    kgcinvt
    kgckids
    kgcmove
    kgcvday
    Kodak EasyShare software
    Kodak Memory Albums
    KSU
    LiveReg (Symantec Corporation)
    LiveUpdate 2.6 (Symantec Corporation)
    Logical Journey of the Zoombinis
    Lords of Magic Special Edition
    Macromedia Flash Player 8
    Macromedia Shockwave Player
    MechWarrior 3
    Microsoft AntiSpyware
    Microsoft Office Professional Edition 2003
    Microsoft Office XP Media Content
    Microsoft Works 6.0
    MSN Music Assistant
    Mustek Scanner Solutions for 600 III EP Plus v3.2
    MVP Baseball 2003
    Netscape 6 (6.1)
    Norton Internet Security
    Norton WMI Update
    NoteWorthy Composer
    Notifier
    NVIDIA Drivers
    OfotoXMI
    OTtBP
    OTtBPSDK
    Outlook Express Q837009
    Panda ActiveScan
    Quicken 2006
    QuickTime
    RealPlayer
    Registry Medic 3.01 (Build 1102)
    Roll
    RTC Client API v1.2
    SafeCast Shared Components
    ScanToWeb
    SFR
    SHASTA
    Shockwave
    Sierra Utilities
    SKIN0001
    SKINXSDK
    SoundMAX2
    SpeechRedist
    Spybot - Search & Destroy 1.2
    Starcraft
    staticcr
    The Print Shop Premier Edition 5.0
    TurboTax Deluxe 2002
    TurboTax Deluxe 2003
    TurboTax Deluxe 2004
    TurboTax Deluxe 2005
    TurboTax ItsDeductible 2005
    Unreal Tournament 2004
    VPRINTOL
    War of the Ring(tm)
    Warcraft II BNE
    WexTech AnswerWorks
    Windows Installer 3.1 (KB893803)
    Windows Installer Clean Up
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player Hotfix [See wm828026 for more information]
    Windows SR 2.0
    Windows XP Hotfix - KB823182
    Windows XP Hotfix - KB824105
    Windows XP Hotfix - KB824141
    Windows XP Hotfix - KB825119
    Windows XP Hotfix - KB826939
    Windows XP Hotfix - KB828035
    Windows XP Hotfix - KB828741
    Windows XP Hotfix - KB833987
    Windows XP Hotfix - KB835732
    Windows XP Hotfix - KB837001
    Windows XP Hotfix - KB840374
    Windows XP Hotfix - KB840987
    Windows XP Hotfix - KB841356
    Windows XP Hotfix - KB841533
    Windows XP Hotfix - KB842773
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB873376
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB889293
    Windows XP Hotfix (SP2) Q819696
    WinZip
    WinZip Self-Extractor
    WIRELESS
    Yahoo! extras
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger
    Yahoo! Toolbar
     
  14. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, We will need to install some new programs, and since the computer has Microsoft Antispyware installed, it will have to go (that is an expired version anyway, replaced by Windows Defender).

    Uninstall MS Antispyware> Add/Remove Programs. Reboot (unless the computer is in such bad shape that you don't want to risk it. I see from the panda log you have been fighting with a lot of malware there)

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
    • Open the extracted folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
     
  15. wtowers

    wtowers Thread Starter

    Joined:
    Jun 14, 2004
    Messages:
    101
    SDFix: Version 1.64

    Run by: Bill Towers - Sat 02/10/2007 @ 21:37:34.89

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\Documents and Settings\Bill Towers\Desktop\SDFix

    Safe Mode:
    Checking Services:

    Name:

    Path:


    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    No Trojan Files Found..




    ADS Check:

    C:\WINDOWS\system32
    No streams found.

    Final Check:


    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    Remaining Files:
    ---------------

    Backups Folder: - C:\DOCUME~1\BILLTO~1\Desktop\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    C:\Documents and Settings\Bill Towers\NetHood\xls on fantasygames.sandboxplus.com\Desktop.ini
    C:\Program Files\America Online 6.0\aolphx.exe
    C:\Program Files\America Online 6.0\aoltray.exe
    C:\Program Files\America Online 6.0\packethsvc.exe
    C:\Program Files\America Online 6.0\RBM.exe
    C:\Program Files\America Online 6.0\waol.exe
    C:\Program Files\America Online 6.0\COMIT\cswitch.exe
    C:\Program Files\CompuServe 2000\csphx.exe
    C:\Program Files\CompuServe 2000\packethsvc.exe
    C:\Program Files\CompuServe 2000\RBM.exe
    C:\Program Files\CompuServe 2000\wcs2000.exe
    C:\Program Files\CompuServe 2000\COMIT\cswitch.exe
    C:\Program Files\KODAK\Kodak Utilities\kma_uninstaller.exe
    C:\QooBox\Purity\Documents and Settings\Bill Towers\My Documents\RACLE~1\ping.exe
    C:\WINDOWS\system32\PackethSvc.exe
    C:\Documents and Settings\Bill Towers\My Documents\Knights of Columbus\~WRL0834.tmp
    C:\Documents and Settings\Jackie Towers\My Documents\Sts. Joachim and Ann Misc\MHTF Folder\~WRL0001.tmp
    C:\Documents and Settings\Jackie Towers\My Documents\Sts. Joachim and Ann Misc\MHTF Folder\~WRL1312.tmp
    C:\WINDOWS\Temp\art4182.tmp
    C:\WINDOWS\Temp\art674D.tmp
    C:\WINDOWS\Temp\art7B8.tmp

    Finished

    Logfile of HijackThis v1.99.1
    Scan saved at 9:45:50 PM, on 2/10/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    N2 - Netscape 6: # Mozilla User Preferences
    // This is a generated file!

    user_pref("browser.cache.directory", "C:\\Documents and Settings\\Bill Towers\\Application Data\\Mozilla\\Profiles\\default\\5xxyzn1l.slt\\Cache");
    user_pref("browser.history.last_page_visited", "http://fantasygames.sandboxplus.com/2000/baseball/reports/leaguehome.asp?leaguenum=9370");
    user_pref("browser.search.defaultengine", "http://www.google.com/");
    user_pref("browser.startup.homepage_override.1", false);
    user_pref("general.useragent.contentlocale", "");
    user_pref("intl.charsetmenu.browser.cache", "windows-1252");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("security.warn_entering_secure", false);
    user_pref("security.warn_leaving_secure", false);
    user_pref("security.warn_viewing_mixed", false);
    user_pref("signon.SignonFileName", "63249813.s");
    user_pref("timebomb.first_launch_time", "1063249322968000");
    user_pref("wallet.SchemaValueFileName", "86538123.w");
    user_pref("wallet.caveat", true);
    user_pref("browser.helperApps.ne
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9407C7A-EF07-4988-B9AD-F293A7B776B7}: NameServer = 24.217.0.5,24.217.0.55
    O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
    O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/542874

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice