Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Name: maysa
Hi, I have tried to get rid of the virus for days but failed. I learned through this forum that I would not be able to just follow instruction that have similar problem since it differ from one computer to another. But I have downloaded HJT and saved the log file. Now I need help for the nest step to delete this annoying virus. Thank you and I trully appreciate any help I can get :)
Hi Maysa,
Until someone comes along to have a look at your HJT log file, a free program I have used to remove smitfraud in the past is SUPERAntispyware.
SAS has very up to date smitfraud detection and removal processes.
Download SAS (free edition) and save it to your desktop. Install the program then open it and let it do all the updates.
Next boot your computer into "safe mode" by tapping the f8 key during startup. Open SAS and click the "Scan your computer" button.
Now select "perform complete scan" and click "next".SAS will now commence a thorough scan of your computer (memory, registry and file items). This may take a while but let it complete the scan fully. Once it has finished quarantine the selections.
Now boot your pc up normally and run another thorough scan. You may find that it picks up a few more items, this is normal, can you post back how this went and if anymore entries, if any, are smitfraud related.
0 
Hi there,
Thanks a lot for the help. I am just wondering is it really safe to run this program? Reading thru posts that are similar, makes me a bit worried that I might damage the desktop since I am cluless when it comes to computers :(
I just wanted to confirm that running this program is as safe as Ad-aware and Spybot.
Spybot was the one that detected Smitfraud but unfortunately could not delete it.
thanks again :)
0
I was anxious to get this done so I downloaded the SAS. Then I tried to get into safe mode but failed. I was able to click on safe mode, then clicked on (Home edition Window XP). After that I get a long list of drivers such as multi(0)disk(0)rdisk(0)patition(2)\windows\system\32\drivers agpCPQ.
I have no clue what to do . PLEASE HELP
0
That screen (white text with a list of all your drivers against a black screen) rolls up when you enter into safe mode... Let it roll through and then when you are in safe mode your will see "safe mode" in the four corners of your screen and the icons will look large and cartoonish. This is normal.
SAS is very safe, as safe as spybot and adaware ( I use all three on my machines here and never had a problem). It is also very thorough.
Try again to get into safe mode and run the program. You will find that there will be alot of detections (the majority belonging to smitfraud), it will auto select so you are free to quarantine all it finds.
If you are unsure about entering safe mode, feel free to run it in normal mode. Safe mode just makes the detection rate higher and prevents certain types of malware starting so they can be deleted more easily.
Please post back and let me know how you go with this.
0
I tried to get into safe mode but failed. I get a long list of drivers that rolls through. but no sign of "safe mode". I have been able to get into safe mode before but not since this problem occured. So I ran it through normal mode. It detected quiet alot but no Smitfraud or anthing related to it.
Any other suggestion would be very appreciative.
Thanks
0
Can you let me know what anti-virus program you are currently using, and can you download Avast to your desktop but don't install just yet.
avast! 4 Home Edition FREE here
We will disable your current protection and schedule a boot-time scan with Avast. The boot time scan prevents most unnecessary processes (malware included) starting up and scans your pc before it boots up completely.
If this is unsuccessful I will then have a look at a new HJT log file to see what nasties are lurking and see if there is a manual fix online.
0
Open up Avast from your desktop, or click "start" > "all programs" > "Avast! antivirus"
Once it is open, click on the button at the top left that looks like an eject button, now click "schedule boot-time scan" and click "schedule".
Avast will now run a scan before your pc boots up completely.
Quarantine everything Avast detects.
After Avast has finished the scan and your pc boots back up again post a fresh HJT log.
0
Thank you so much for your your help
Here is the logfile :Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:34:03 PM, on 20/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\AOL\1167326590\ee\AOLSoftware.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Salaat Time\SalaatTime.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {28022e6a-1f1a-4104-ae2d-befe122c0fa8} - C:\WINDOWS\system32\calxccn.dll (file missing)
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56D40419-BAEF-4A63-9D65-68D7ED90BA29} - C:\Program Files\Online Services\hokepocC:\WINDOWS\system32\doc4\mmildot83122.exe.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167326590\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SalaatTime] C:\Program Files\Salaat Time\SalaatTime.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DF5DE05-0C55-4B59-95C4-F3D5A0AECBCA}: NameServer = 205.188.146.145
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe--
End of file - 9987 bytes
0
Download the latest version of Java Runtime Enviroment from here (but don't install just yet):
Java Runtime Environment (JRE) 6 Update 3
It's about the 4th item down.
After you accept the license agreement the page will refresh, you will need to click the link "Windows Offline Installation, Multi-language" and save to your desktop. Don't install it just yet.
Go to "start" > "control panel" > "add / remove programs" and remove the older version(s) of Java. They will look like:
Java 2 Runtime...
J2SE Runtime...basically they will have Java, JRE or J2SE in the name.
Once all the older version(s) of java have been removed, reboot your pc and double click the file you downloaded to your desktop earlier jre-6u3-windows-i586-p.exe and install it.
Next download Combofix and save it to your desktop from here:
Once it has downloaded double click combofix.exe and follow the prompts.
While it is running don't do anything with your pc, especially click in the combofix window as this can cause it to freeze.
Once it has finished you will get a log, post that along with a fresh HJT log please.
0
I was able to follow the steps successfully until I ran Combofix.
I downloaded and saved Combofix to the desktop. I double clicked on combofix.exe then clicked on run. A window appears " C:\Documents and settings\maysa\desktop\combofix.exe is not a valid win32 application"
Not sure why I cann't run it !
0
Sorry to sound paranoid, I googled "combofix" and looked at the steps to try to figure out why I was not able to run it.
Is it the site that you posted that is not working?
Looking at the google site for combofix, it mentioned to close all windows, does that include my internt service before running combofix. An example of a blue box appears with options 1 to continue option 2 to exit. I guess iI need to click on Option 1 which states that if infected it would delete and reboot. Does the log appear after rebooting ?
0
The link I have given you is not working proplerly. Delete the combofix icon on your desktop and download combofix from here:
A download dialogue box will appear on your desktop, choose to save the file to your desktop. Once it has finished you will have a new combofix icon on your desktop (a red circle with a white cross through it). If you have this it will work.
Your pc will only reboot if combofix used used to manually input files to delete.
You asked "Looking at the google site for combofix, it mentioned to close all windows, does that include my internt service before running combofix"
It is not necessary to disconnect from the internet although closing all browser windows will give it a higher success rate. The rule of thumb is that if you can prevent as many processes from running as you can this will improve any cleaning and malware removal attempts, as they can prevent certain programs functioning normally if they are allowed to run.
This is why running most scans in safe mode is a preferred option as windows only loads the bare minimum to allow it to work. Even the display drivers are affected which is why the desktop looks cartoonish.
When you double click combofix you will get a security prompt asking you if you want to "run" or "cancel" the program. click run. A little blue window will now popup asking you to choose option 1 or 2, choose option 1 and enter.
The scanning process will now start, it could take a while, let it run through the scan uninterrupted. Once the scan has finished the blue box will dissappear and a notepad file should open, paste the contents of this file.
If a notepad file doesn't appear navigate to c:\combofix.txt, this is where it is.
0
Here if the log for combofix:
ComboFix 07-12-21.4 - Alwazir 2007-12-21 16:54:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.224 [GMT 0:00]
Running from: C:\Documents and Settings\Alwazir\Desktop\ComboFix.exe
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\pac.txt.
((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).
-------\LEGACY_CORE
-------\core
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.2007-12-20 20:13 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-16 21:38 . 2007-12-16 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-16 21:37 . 2007-12-21 00:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-16 21:37 . 2007-12-16 21:37 <DIR> d-------- C:\Documents and Settings\Alwazir\Application Data\SUPERAntiSpyware.com
2007-12-16 21:36 . 2007-12-16 21:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-16 19:23 . 2007-12-16 19:24 <DIR> d-------- C:\Documents and Settings\Alwazir\Application Data\McAfee.com Personal Firewall
2007-12-16 19:21 . 2007-12-21 16:58 38,528 --a------ C:\WINDOWS\SYSTEM32\Status.MPF
2007-12-16 19:20 . 2007-12-16 19:20 <DIR> d-------- C:\Program Files\McAfee.com
2007-12-16 19:20 . 2004-05-06 14:19 83,181 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MpFirewall.sys
2007-12-16 19:20 . 2004-04-19 15:42 35,143 --a------ C:\WINDOWS\SYSTEM32\MpFireWl.VXD
2007-12-16 19:20 . 2004-04-23 18:15 24,576 --a------ C:\WINDOWS\SYSTEM32\MpfApi.dll
2007-12-14 19:40 . 2007-12-14 19:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 23:50 . 2007-12-14 02:13 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-12-12 23:14 . 2007-12-20 19:02 1,253 --a------ C:\WINDOWS\wininit.ini
2007-12-12 22:28 . 2007-12-12 22:28 <DIR> d-------- C:\Spybot - Search & Destroy
2007-12-12 22:28 . 2007-12-12 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 21:57 . 2007-12-18 21:05 529,843 --ahs---- C:\WINDOWS\SYSTEM32\nqtss.ini2
2007-12-11 21:57 . 2007-12-18 21:08 529,843 --ahs---- C:\WINDOWS\SYSTEM32\nqtss.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\ripd1
2007-12-11 21:53 . 2007-12-11 22:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\doc4
2007-12-11 21:53 . 2007-12-11 22:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\bbc5
2007-12-11 21:53 . 2007-12-11 22:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\ashell3
2007-12-11 21:52 . 2007-12-11 21:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\rex2
2007-12-11 21:52 . 2007-12-11 21:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\daSgo01.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 15:37 --------- d-----w C:\Documents and Settings\Alwazir\Application Data\Skype
2007-12-20 21:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-20 20:13 --------- d-----w C:\Program Files\Java
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-01 12:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-24 02:33 --------- d-----w C:\Program Files\Passware
2007-09-27 00:29 737,280 ----a-w C:\WINDOWS\iun6002.exe
2006-10-12 03:09 94,208 --sh--w C:\WINDOWS\SYSTEM32\SalaatTime.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28022e6a-1f1a-4104-ae2d-befe122c0fa8}]
C:\WINDOWS\system32\calxccn.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56D40419-BAEF-4A63-9D65-68D7ED90BA29}]
C:\Program Files\Online Services\hokepocC:\WINDOWS\system32\doc4\mmildot83122.exe.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 22:01]
"SalaatTime"="C:\Program Files\Salaat Time\SalaatTime.exe" [2007-08-26 09:38]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-01-03 12:13]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="Rundll32 P17.dll" []
"UpdReg"="C:\WINDOWS\UpdReg.exe" [2000-05-11 01:00]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-12-04 10:14]
"Adobe Reader Speed Launcher"="C:\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-01 23:06]
"HostManager"="C:\Program Files\Common Files\AOL\1167326590\ee\AOLSoftware.exe" [2006-11-17 13:21]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-04-12 16:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.exe" [2004-08-04 05:00]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-10 22:01:15][hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]
2003-05-06 08:28 72192 --a------ C:\Program Files\VoyagerTest\fts.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-02-16 14:04 147456 --a------ C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 12:52 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2004-09-15 01:01 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
2003-08-19 13:47 16384 --------- C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 16:54 57344 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-11-17 13:21 50736 --a------ C:\Program Files\Common Files\AOL\1167326590\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-03 20:12 221184 --a------ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2005-04-17 21:17 16384 --a------ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
2002-12-10 17:32 155648 --a------ C:\Program Files\Logitech\ImageStudio\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
2002-12-10 17:31 61440 --a------ C:\Program Files\Logitech\ImageStudio\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 16:54 127022 --a------ C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 15:42 1404928 --a------ C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quietR3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 13:56]
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys [2004-06-09 12:16]
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 15:52]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 16:53].
**************************************************************************catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 16:59:03
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-12-21 17:00:08 - machine was rebooted
.
2007-12-13 03:04:26 --- E O F ---
0
Hijackthis Logfile :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:09:30 PM, on 21/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1167326590\ee\AOLSoftware.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Salaat Time\SalaatTime.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {28022e6a-1f1a-4104-ae2d-befe122c0fa8} - C:\WINDOWS\system32\calxccn.dll (file missing)
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56D40419-BAEF-4A63-9D65-68D7ED90BA29} - C:\Program Files\Online Services\hokepocC:\WINDOWS\system32\doc4\mmildot83122.exe.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167326590\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SalaatTime] C:\Program Files\Salaat Time\SalaatTime.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DF5DE05-0C55-4B59-95C4-F3D5A0AECBCA}: NameServer = 205.188.146.145
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe--
End of file - 10193 bytes
0
My computer is running great. I truly appreciate taking time to help me. It was very kind of you. Thanks a million.
The following are programs I already have on my PC. Kindly, would you suggest any changes or additions !!
Avast 4.7 Home Edition
Spybot Search and Destroy
Adaware SE personal
SUPERAntispyware (your recommendation)I cant thank you enough . Hope you have a GREAT holiday :)
0
Hiya Maysa,
There are still a couple of entries that concern me in your logs indicating a vundo infection. I will need you to run a scan for this. They can cause reinfection down the track.
Also we will need to clean up a couple of obsolete norton / symantec entries that you have.
0
Download Vudofix by Atribune to your desktop
*Double-click VundoFix.exe to run it.
*When VundoFix re-opens, click the Scan for Vundo button.
*Once it's done scanning, click the Remove Vundo button.
*You will receive a prompt asking if you want to remove the files, click YES
*Once you click yes, your desktop will go blank as it starts removing Vundo.
*When completed, it will prompt that it will reboot your computer, click OK.Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at rebootPlease post the contents of this file C:\vundofix.txt
0
Hi there,
I ran Vundo, clicked on Scan Vundo button then when the scan was done, I clicked on Remove Vundo button. I received a message "Done searching for files. No infection files found." Clicked ok , another message appeared "No files were found, Vundofix V6.77 will close now."
I guess it did not prompt any rebooting since there were no infected files found.
I was hoping it would find something since you mentioned a couple of entries indicating a vondu infection!I made sure all browse windows were closed except AOL.
0
The file C:\vundofix.txt :
VundoFix V6.7.7
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.Scan started at 11:47:55 PM 21/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
0
That's a very good outcome, the entries for the vundo infection are empty. We can clean them out with HJT.
Open HJT and click on "Do a system scan only". Fix these items if they are still present:
O2 - BHO: (no name) - {28022e6a-1f1a-4104-ae2d-befe122c0fa8} - C:\WINDOWS\system32\calxccn.dll (file missing)
O2 - BHO: (no name) - {56D40419-BAEF-4A63-9D65-68D7ED90BA29} - C:\Program Files\Online Services\hokepocC:\WINDOWS\system32\doc4\mmildot83122.exe.dll (file missing)
All that's needed to do now is remove or disable the symantec entries. They are left behind from an incomplete removal of Norton. These processes are running in the background and using resources although you are not currently using Norton av.
Do you recall which version of Norton was installed? If not thats fine they can be disabled later.
Download CCleaner:
We will use this shortly to clean all the temp and cache files.
Remove Combofix, click "start" > "run" and copy and paste this into the run box:
ComboFix /u
when prompted click "run". This will remove it from your system. If you get an alert from spybot accept the change. The C:\combofix folder can be deleted next time you restart your pc.
Remove Vundofix, right click the icon on your desktop and delete. Delete the text file C:\vundofix.txt
Remove HJT, simply delete the icon where it is located.
These three programs are regularly updated and if ever needed again it is best to download a fresh copy.
0
All that is needed now is the norton version previously installed on your pc... It is fine if you don't know we will stop the processes instead.
Once this is done we will clean your pc cache and temp files, flush the restore points and create new one.
0
Great to hear :)
The two items you posted were found and fixed in Hijackthis. I also removed the three programs (Combofix, Vndofix and HJT).
Downloaded CCleaner and saved in desktop.
I purchased my computer in March 2005, it included a trial 90 day Norton Internet Securities. After the trial period, I purchased and installed Norton SystemWorks. I realized when updating at the time, symantic enteries from the 90 day Norton were left behind. But did not dare to remove and thought it would be safer to leave as is.
Its only when I decided to insall Avast, that I thought I completely removed Norton and got rid of all its enteries.
It would be great if I am able to do so now with you help.
Thank you so much :)
0
Download the Norton removal tool to your desktop from their Symantec website, there is a link for the Norton 2005 or 2004 products.
Once its downloaded it is fine to run the program then delete the desktop icon.
To be doubly sure this has worked click on "start" > "control panel" > "administrative tools" > "services". In the right pane you will see a list, look through it for anything with symantec or norton in it.
These processes should be named symlcsvc.exe, PIFSvc.exe and / or LUCOMS~1.EXE
If you find that any of these are there right click it, select properties and change the startup type to disabled. There is a link below you can look at
Next install and run CCleaner and click on the "Run Cleaner" button. If you are curious to see what or how much it is cleaning from your pc you can select "Analyze" before you run the cleaner. CCleaner is excellent to use for cleaning out the nooks and crannies where little gremlins love to hide.
Last thing to do is to flush and set a new restore point.
Click on "start" > "all programs" > "accessories" > "system tools" > "system restore". On the left you will see a link named "system restore settings", click on this. Now on the top left there is a box with "Turn off system restore" next to it, put a tick in there and click apply, click on yes when the dialogue box appears. Now repeat the process to turn your system restore back on.
You now have a clean restore point set and that was the final thing you needed to do.
You have a good selection of security tools to help protect your pc. You have the antivirus and firewall. These are the big guns. You also have 3 antispyware / adware programs, these are the same 3 I use myself and a good cleaning program (I use this one also). I use CCleaner to do a clean up before I run any of the other programs, it speeds up the scans and removes alot also.
One last thing you might want to consider adding to your setup is SpywareBlaster
This little utility runs in the background unnoticed, what it does is it rewrites malicious script before it can misbehave on a system rendering the script useless.
The free version doesn't have an auto update feature so the updates will need to manually be done periodically. The program by default installs at C:\program files\SpywareBlaster. Click on spywareblaster.exe and the update option is on the left side.
Thankyou for the holiday wishes earlier and I hope all the very best for your holiday also.
0
Followed each steps thoroughly, added Spyware blaster and CCleaner to my security tools.
All thanks to you my computer is running GREAT, better than ever. Sorry to sound redundant but I truly appreciate taking time explaining each process, the steps to take and your suggestions to a better protection.
Thank you very very much. Take care :)
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
