|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
random popups and slow internet
|
Original Message
|
Name: mbslaughter91
Date: November 11, 2007 at 16:59:26 Pacific
Subject: random popups and slow internetOS: Windows XP home editionCPU/Ram: core 2 duo / 1 gig ramManufacturer/Model: pacific solutions |
Comment: I keep getting all these random popups and i have firefox with its addblocker, and that has worked well for a while until recently. my internet has been really really slow. i was wondering what i could do to get rid of it. Matt Slaughter
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: jabuck
Date: November 11, 2007 at 17:09:30 Pacific
|
Reply: Please download and install the latest version of HijackThis v2.0.2: Download the HijackThis Installer from this link: HijackThis 1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop. !!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
|
Reply: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:21 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispa...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pacificsolutions.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.as...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_c...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.as...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_c...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sXe Injected] C:\Program Files\sXe Injected\sXe Injected.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = J:\Office10\OSA.EXE
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pacificsolutions.com
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe --
End of file - 7613 bytes
Matt Slaughter
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: jabuck
Date: November 12, 2007 at 17:50:28 Pacific
|
Reply: Go to start> control panel> add/remove programs and uninstall this rogue program: SpywareBot Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked": O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot Exit Hijack This. Update your java. Go to start> control panel> java> update> update now> uncheck/decline any google toolbar options if present.
Once updated go to control panel> add/remove programs and unistall all the other java versions on the computer except for the jre1.6.0_03 version you just installed. Those older version are one way you could have been infected. Please download ComboFix to the desktop from this link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.) Please post the log it produces.
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
|
Reply: There is a problem. I went to add/remove programs and under it i could not find the program named SpywareBot. I sorted it by name but the closest thing i found to it was spybot search and dystroy which i'm pretty sure you didn't mean. What do I do? Matt Slaughter
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: jabuck
Date: November 13, 2007 at 03:46:08 Pacific
|
Reply: No, we are not looking for "Spybot". Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok. Navigate to and delete this files if found: C:\Program Files\SpywareBot\SpywareBot.exe Then navigate to and delete this folder if found: C:\Program Files\SpywareBot Let us know what you find. Then please post the second part of response #1, the smitfruadfix report.
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
|
Reply: I found and deleted C:\Program Files\SpywareBot\SpywareBot.exe I ran Hijackthis and deleted the two files you told me to. ran combofix and let it go while i was away from my computer and came back and it was restarting. when windows boots up i have it run AIM and SXEinjected so the combofix was also up so i tried exiting out of AIM and SXE injected and my computer shut down when i clicked. when it rebooted it said that my system had just recovered from a serious error. here are my logs.
SmitFraudFix v2.253 Scan done at 16:28:58.23, Tue 11/13/2007
Run from C:\Documents and Settings\Matt\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Matt
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Matt\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Matt\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS Description: D-Link WDA-1320 Desktop Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.10.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{90374904-2F60-4DF2-BD21-463EA552FDA6}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{90374904-2F60-4DF2-BD21-463EA552FDA6}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{90374904-2F60-4DF2-BD21-463EA552FDA6}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
ComboFix 07-11-08.1 - Matt 2007-11-13 16:18:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.612 [GMT -8:00]
Running from: C:\Documents and Settings\Matt\Desktop\ComboFix.exe
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\Documents and Settings\Matt\Local Settings\Application Data\vveksraiip.dat
C:\Documents and Settings\Matt\Local Settings\Application Data\vveksraiip.exe
c:\Documents and Settings\Matt\Local Settings\Application Data\vveksraiip_nav.dat
c:\Documents and Settings\Matt\Local Settings\Application Data\vveksraiip_navps.dat
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll .
((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) .
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.
2007-11-13 16:10 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 16:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 18:43 <DIR> d-------- C:\Program Files\Free Fire Screensaver
2007-11-07 18:43 <DIR> d-------- C:\Program Files\Crawler
2007-11-07 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Laconic Software
2007-11-06 18:13 <DIR> d-------- C:\WINDOWS\Sun
2007-11-05 17:08 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\Talkback
2007-10-30 10:22 <DIR> d-------- C:\WINDOWS\pss
2007-10-27 23:59 <DIR> d-------- C:\Program Files\STOPzilla!
2007-10-27 23:59 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-10-27 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-27 23:50 <DIR> d-------- C:\Program Files\sXe Injected
2007-10-27 23:50 <DIR> d-------- C:\Program Files\Counter-Strike 1.6
2007-10-27 21:07 147,456 --a------ C:\WINDOWS\system32\igfxCoIn_v4864.dll
2007-10-27 21:07 104,636 --a------ C:\WINDOWS\system32\igmedcompkrn.dll
2007-10-27 20:30 <DIR> d-------- C:\Intel
2007-10-27 18:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-27 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 18:09 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\SpywareBot
2007-10-24 19:55 <DIR> d-------- C:\Program Files\SopCast
2007-10-24 19:55 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\SopCast
2007-10-24 19:29 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\TVU Networks
2007-10-24 12:55 <DIR> d-------- C:\ruby .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 04:15 --------- d-----w C:\Program Files\KeyLogger
2007-11-10 01:55 --------- d-----w C:\Documents and Settings\Matt\Application Data\MySQL
2007-10-27 17:43 --------- d-----w C:\Program Files\7-Zip
2007-10-24 20:46 --------- d-----w C:\Program Files\Google
2007-10-24 00:06 --------- d-----w C:\Program Files\AIM6
2007-10-24 00:05 --------- d-----w C:\Program Files\Viewpoint
2007-10-24 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-24 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-24 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-16 04:43 --------- d-----w C:\Documents and Settings\Matt\Application Data\U3
2007-10-04 01:08 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 22:53 --------- d-----w C:\Program Files\Tansee iPod Transfer
2007-09-10 16:15 920,088 ----a-w C:\WINDOWS\system32\igxpun.exe
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-24 18:23 2,575,360 ----a-w C:\WINDOWS\system32\igxpdx32.dll
2007-08-24 18:23 1,615,808 ----a-w C:\WINDOWS\system32\igxpdv32.dll
2007-08-24 18:22 57,344 ----a-w C:\WINDOWS\system32\igxprd32.dll
2007-08-24 18:22 150,528 ----a-w C:\WINDOWS\system32\igxpgd32.dll
2007-08-24 18:22 1,174,000 ----a-w C:\WINDOWS\system32\igmedkrn.dll
2007-08-24 18:07 2,400,256 ----a-w C:\WINDOWS\system32\ig4icd32.dll
2007-08-24 18:07 1,527,808 ----a-w C:\WINDOWS\system32\ig4dev32.dll
2007-08-24 18:02 520,192 ----a-w C:\WINDOWS\system32\igfxcfg.exe
2007-08-24 18:01 159,744 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-08-24 18:01 135,168 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-08-24 18:00 48,128 ----a-w C:\WINDOWS\system32\igfxsrvc.dll
2007-08-24 18:00 3,293,184 ----a-w C:\WINDOWS\system32\igfxress.dll
2007-08-24 18:00 245,760 ----a-w C:\WINDOWS\system32\igfxsrvc.exe
2007-08-24 18:00 24,576 ----a-w C:\WINDOWS\system32\igfxexps.dll
2007-08-24 18:00 208,896 ----a-w C:\WINDOWS\system32\igfxdev.dll
2007-08-24 18:00 204,800 ----a-w C:\WINDOWS\system32\igfxpph.dll
2007-08-24 18:00 172,032 ----a-w C:\WINDOWS\system32\igfxres.dll
2007-08-24 18:00 163,840 ----a-w C:\WINDOWS\system32\igfxzoom.exe
2007-08-24 18:00 163,840 ----a-w C:\WINDOWS\system32\igfxext.exe
2007-08-24 18:00 135,168 ----a-w C:\WINDOWS\system32\igfxdo.dll
2007-08-24 18:00 131,072 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-08-24 18:00 102,400 ----a-w C:\WINDOWS\system32\hccutils.dll
2007-08-24 15:46 2,249,216 ----a-w C:\WINDOWS\Free Fire Screensaver.scr
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 00:56 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 02:04 C:\WINDOWS\SkyTel.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"D-Link Wireless G WDA-1320"="C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2005-12-14 14:56]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 09:35]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 15:14]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 15:15]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-24 10:01]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-24 10:01]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-24 10:00]
"sXe Injected"="C:\Program Files\sXe Injected\sXe Injected.exe" [2007-10-29 23:59] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-28 20:56:48]
Microsoft Office.lnk - J:\Office10\OSA.EXE [2001-02-13 00:01:04]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 21:24:38] R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys .
Contents of the 'Scheduled Tasks' folder
"2007-11-10 00:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-13 11:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.exe
.
************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 16:19:31
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ddsxeiservice]
"ImagePath"="\??\C:\Program Files\sXe Injected\ddsxei.sys"
.
Completion time: 2007-11-13 16:20:07
.
--- E O F ---
Matt Slaughter
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: jabuck
Date: November 13, 2007 at 19:43:09 Pacific
|
Reply: Navigate to and delete these files if found. C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job C:\Program Files\SpywareBot\SpywareBot.exe (for a double check) Havigate to and delete this folder if found: C:\Program Files\SpywareBot (Also for a double check) Update your java. Go to start> control panel> java> update> update now> uncheck/decline any google toolbar options if present.
Once updated go to control panel> add/remove programs and unistall all the other java versions on the computer except for the jre1.6.0_03 version you just installed. Those older version are one way you could have been infected. You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version. How is the computer operating?
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
|
Reply: I deleted that file already updated java and installed spywareblaster yet my internet is still very slow. the popups have been eliminated though thank you for that.
Matt Slaughter
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: jabuck
Date: November 14, 2007 at 14:56:22 Pacific
|
Reply: I don't see anything that would interfere with the internet connection. You might try uninstalling the google web accelerator, reboot, if it didn't help you can always reinstall it. And on occasion I have to shut my computer down, turn off the router, unplug the satelite modem, wait 30 seconds, plug in the modem and wait for it to sync, turn on the router (wait for it to connect) then start the computer. If that don't help contect your ISP.
Report Offensive Follow Up For Removal
|
|
Response Number 11
|
Name: jabuck
Date: November 17, 2007 at 14:49:40 Pacific
|
Reply: Please download the Sophos Anti-Rootkit Scanner and save it to your desktop from the following link.
Sophos-Anti-Rootkit You will need to enter your name, e-mail address and location in order to access the download page.
Once you have downloaded the file, double click the sarsfx icon
Review the licence agreement and click on the Accept button
The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui. Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
Allow the program to scan your computer - please be patient as it may take some time
Once the scan has completed a window will pop-up with the results of the scan - click OK to this. In the main window, you will see each of the entries found by the scan (if any)
If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review. Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you. If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
To clean up these entries click on the Clean up checked items button. If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so. Then post a new Hijack This log and a new Combofix log please.
Report Offensive Follow Up For Removal
|
|
Response Number 12
|
|
Reply: sophos did not find any files Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:04 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Video Add-on\icthis.exe
C:\Program Files\Video Add-on\isfmntr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Video Add-on\icmntr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\kzkhgm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pacificsolutions.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.as...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_c...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23B760D6-C98B-450B-9B32-26C7775CDF83} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sXe Injected] C:\Program Files\sXe Injected\sXe Injected.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pacificsolutions.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O22 - SharedTaskScheduler: doglike - {3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea} - C:\WINDOWS\system32\fftktmk.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe --
End of file - 7197 bytes
ComboFix 07-11-08.1 - Matt 2007-11-17 17:11:06.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.508 [GMT -8:00]
Running from: C:\Documents and Settings\Matt\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
. 2007-11-17 14:57 <DIR> d-------- C:\Program Files\Sophos
2007-11-16 17:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 17:33 <DIR> d---s---- C:\Documents and Settings\Matt\UserData
2007-11-15 22:47 <DIR> d-------- C:\WINDOWS\ShellNew
2007-11-15 22:47 <DIR> d-------- C:\Program Files\Video Add-on
2007-11-15 22:47 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-14 21:07 <DIR> d-------- C:\Program Files\[u]0[/u]1-mp3search
2007-11-14 19:32 <DIR> d-------- C:\Program Files\Winamp
2007-11-14 19:32 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\Winamp
2007-11-13 21:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-13 18:58 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-13 16:29 3,226 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-13 16:28 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-13 16:28 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-13 16:28 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-13 16:28 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-13 16:28 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-13 16:10 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 16:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 18:43 <DIR> d-------- C:\Program Files\Free Fire Screensaver
2007-11-07 18:43 <DIR> d-------- C:\Program Files\Crawler
2007-11-07 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Laconic Software
2007-11-06 18:13 <DIR> d-------- C:\WINDOWS\Sun
2007-11-05 17:08 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\Talkback
2007-10-30 10:22 <DIR> d-------- C:\WINDOWS\pss
2007-10-27 23:59 <DIR> d-------- C:\Program Files\STOPzilla!
2007-10-27 23:59 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-10-27 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-27 23:50 <DIR> d-------- C:\Program Files\Counter-Strike 1.6
2007-10-27 21:07 147,456 --a------ C:\WINDOWS\system32\igfxCoIn_v4864.dll
2007-10-27 21:07 104,636 --a------ C:\WINDOWS\system32\igmedcompkrn.dll
2007-10-27 20:30 <DIR> d-------- C:\Intel
2007-10-27 18:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-27 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 18:09 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\SpywareBot
2007-10-24 19:55 <DIR> d-------- C:\Program Files\SopCast
2007-10-24 19:55 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\SopCast
2007-10-24 19:29 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\TVU Networks
2007-10-24 12:55 <DIR> d-------- C:\ruby .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 20:58 --------- d-----w C:\Documents and Settings\Matt\Application Data\MySQL
2007-11-17 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-16 06:47 12,800 --s-a-w C:\WINDOWS\system32\fftktmk.dll
2007-11-15 03:04 --------- d-----w C:\Program Files\Tansee iPod Transfer
2007-11-14 03:46 --------- d-----w C:\Program Files\Java
2007-11-10 04:15 --------- d-----w C:\Program Files\KeyLogger
2007-10-27 17:43 --------- d-----w C:\Program Files\7-Zip
2007-10-24 20:46 --------- d-----w C:\Program Files\Google
2007-10-24 00:06 --------- d-----w C:\Program Files\AIM6
2007-10-24 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-24 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-16 04:43 --------- d-----w C:\Documents and Settings\Matt\Application Data\U3
2007-10-04 01:08 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-10 16:15 920,088 ----a-w C:\WINDOWS\system32\igxpun.exe
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-24 18:23 2,575,360 ----a-w C:\WINDOWS\system32\igxpdx32.dll
2007-08-24 18:23 1,615,808 ----a-w C:\WINDOWS\system32\igxpdv32.dll
2007-08-24 18:22 57,344 ----a-w C:\WINDOWS\system32\igxprd32.dll
2007-08-24 18:22 150,528 ----a-w C:\WINDOWS\system32\igxpgd32.dll
2007-08-24 18:22 1,174,000 ----a-w C:\WINDOWS\system32\igmedkrn.dll
2007-08-24 18:07 2,400,256 ----a-w C:\WINDOWS\system32\ig4icd32.dll
2007-08-24 18:07 1,527,808 ----a-w C:\WINDOWS\system32\ig4dev32.dll
2007-08-24 18:02 520,192 ----a-w C:\WINDOWS\system32\igfxcfg.exe
2007-08-24 18:01 159,744 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-08-24 18:01 135,168 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-08-24 18:00 48,128 ----a-w C:\WINDOWS\system32\igfxsrvc.dll
2007-08-24 18:00 3,293,184 ----a-w C:\WINDOWS\system32\igfxress.dll
2007-08-24 18:00 245,760 ----a-w C:\WINDOWS\system32\igfxsrvc.exe
2007-08-24 18:00 24,576 ----a-w C:\WINDOWS\system32\igfxexps.dll
2007-08-24 18:00 208,896 ----a-w C:\WINDOWS\system32\igfxdev.dll
2007-08-24 18:00 204,800 ----a-w C:\WINDOWS\system32\igfxpph.dll
2007-08-24 18:00 172,032 ----a-w C:\WINDOWS\system32\igfxres.dll
2007-08-24 18:00 163,840 ----a-w C:\WINDOWS\system32\igfxzoom.exe
2007-08-24 18:00 163,840 ----a-w C:\WINDOWS\system32\igfxext.exe
2007-08-24 18:00 135,168 ----a-w C:\WINDOWS\system32\igfxdo.dll
2007-08-24 18:00 131,072 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-08-24 18:00 102,400 ----a-w C:\WINDOWS\system32\hccutils.dll
2007-08-24 15:46 2,249,216 ----a-w C:\WINDOWS\Free Fire Screensaver.scr
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
. ((((((((((((((((((((((((((((( snapshot@2007-11-13_16.19.34.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-16 06:47:59 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2007-11-16 06:47:59 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2007-11-16 06:47:59 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2007-11-16 06:47:59 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2007-11-16 06:47:59 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2007-11-16 06:47:59 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2007-11-16 06:47:59 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2007-11-16 06:47:59 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2007-11-16 06:47:59 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2007-11-16 06:47:59 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2007-11-16 06:47:59 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-07-12 08:22:00 135,168 -c--a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 08:22:04 135,168 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 09:22:38 139,264 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 20:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 23:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 23:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 1998-03-25 03:54:08 15,872 ----a-w C:\WINDOWS\system32\SCP32.DLL
+ 1998-03-25 04:54:08 15,872 ----a-w C:\WINDOWS\system32\SCP32.DLL
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2005-10-12 23:12:25 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 1999-11-25 00:40:50 40,960 ----a-w C:\WINDOWS\system32\VBAME.DLL
+ 1999-11-25 01:40:50 40,960 ----a-w C:\WINDOWS\system32\VBAME.DLL
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-11-17 22:46:50 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5a0.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23B760D6-C98B-450B-9B32-26C7775CDF83}]
2007-11-17 14:46 13824 --a------ C:\Program Files\Video Add-on\isfmdl.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{70CC76D5-A4EE-4F25-9931-B109A63E298E}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-11-15 22:47 81920] [HKEY_CLASSES_ROOT\CLSID\{70CC76D5-A4EE-4F25-9931-B109A63E298E}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 00:56 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 02:04 C:\WINDOWS\SkyTel.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"D-Link Wireless G WDA-1320"="C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2005-12-14 14:56]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 09:35]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 15:14]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 15:15]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-24 10:01]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-24 10:01]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-24 10:00]
"sXe Injected"="C:\Program Files\sXe Injected\sXe Injected.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-09 21:28] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-28 20:56:48]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}"= C:\WINDOWS\system32\fftktmk.dll [2007-11-15 22:47 12800] R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\17.tmp
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys *Newly Created Service* - MEMSWEEP2
.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 00:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 17:11:47
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
Completion time: 2007-11-17 17:12:14
C:\ComboFix2.txt ... 2007-11-13 16:20
.
--- E O F --- Matt Slaughter
Report Offensive Follow Up For Removal
|
|
Response Number 13
|
Name: jabuck
Date: November 18, 2007 at 11:42:46 Pacific
|
Reply: I see the baddie as Smitfraud, run option #1 again please. the following is in case you have unistalled it. Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop. !!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Report Offensive Follow Up For Removal
|
|
Response Number 14
|
|
Reply: SmitFraudFix v2.253 Scan done at 10:32:29.57, Sun 11/18/2007
Run from C:\Documents and Settings\Matt\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\EARTHL~1\PCFINE~1\MXTask.exe
C:\Program Files\Video Add-on\icthis.exe
C:\Program Files\Video Add-on\isfmntr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Video Add-on\icmntr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\EARTHL~1\PCFINE~1\mxtask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Matt
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Matt\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Matt\FAVORI~1 C:\DOCUME~1\Matt\FAVORI~1\Online Security Test.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\Video Add-on\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}"="doglike" [HKEY_CLASSES_ROOT\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="C:\WINDOWS\system32\fftktmk.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="C:\WINDOWS\system32\fftktmk.dll" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS Description: D-Link WDA-1320 Desktop Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.10.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{90374904-2F60-4DF2-BD21-463EA552FDA6}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{90374904-2F60-4DF2-BD21-463EA552FDA6}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{90374904-2F60-4DF2-BD21-463EA552FDA6}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Matt Slaughter
Report Offensive Follow Up For Removal
|
|
Response Number 15
|
Name: jabuck
Date: November 18, 2007 at 13:28:48 Pacific
|
Reply: Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the "SmitfraudFix" folder again and double-click "smitfraudfix.cmd"
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing " Y " and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if "wininet.dll " is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing "Y" and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button. Also post back with a new Hijack This log.
Report Offensive Follow Up For Removal
|
|
Response Number 16
|
|
Reply: The popups are gone now. YAY. i don't know if there is anything still wrong with my computer but it looks all good. SmitFraudFix v2.253 Scan done at 12:22:14.48, Sun 11/18/2007
Run from C:\Documents and Settings\Matt\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:00 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\PROGRA~1\EARTHL~1\PCFINE~1\MXTask.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\EARTHL~1\PCFINE~1\mxtask.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.as...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_c...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23B760D6-C98B-450B-9B32-26C7775CDF83} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - C:\Program Files\Video Add-on\ictmdl.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pacificsolutions.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC FineTune Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\EARTHL~1\PCFINE~1\MXTask.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe --
End of file - 6616 bytes »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}"="doglike" [HKEY_CLASSES_ROOT\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="C:\WINDOWS\system32\fftktmk.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="C:\WINDOWS\system32\fftktmk.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri C:\WINDOWS\system32\fftktmk.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\fftktmk.dll -> Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\Matt\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\Video Add-on\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{90374904-2F60-4DF2-BD21-463EA552FDA6}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{90374904-2F60-4DF2-BD21-463EA552FDA6}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{90374904-2F60-4DF2-BD21-463EA552FDA6}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Matt Slaughter
Report Offensive Follow Up For Removal
|
|
Response Number 17
|
Name: jabuck
Date: November 18, 2007 at 15:33:31 Pacific
|
Reply: Post a new Hijack This log and a new ombofix log please. Make sure your spywareblaster is updated, there should be a total of 8811 items in the database.
Report Offensive Follow Up For Removal
|
Post Locked
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
Go to Security and Virus Forum Home
Results for: random popups and slow internet
Slow Internet Connection and Popups Summary: I've been experiencing a really slow internet connection speed for about 2 weeks. Connection speed is supposed to be 10 Mbps but is much slower. My ISP says that the connection is fine. Is it possi... www.computing.net/answers/security/slow-internet-connection-and-popups/7292.html
Popups and slow system Summary: I continue to have annoying popup ads everytime that I start IE6. I also have this ridiculous lag time browsing the internet. I've tried Ad-aware, Spybot, Stinger, McAfee, and CW Shredder but all of... www.computing.net/answers/security/popups-and-slow-system/13025.html
PopUps and slow browsing Summary: Slow scrolling on browser and several popups when using explorer7. Please help. I have ran Seach and destroy and adware. ... www.computing.net/answers/security/popups-and-slow-browsing/22085.html
|
|
|
