Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Spurious security warnings?

  1. #1
    Junior Member
    Join Date
    Sep 2007
    Posts
    7

    Default Spurious security warnings?

    I absent-mindedly clicked on some pop-up when visiting an internet site and now have a series of security pop-ups that appear at annoying frequency. I believe that they are all spurious. "Moshi" described the symptoms accurately in a recent, terminated thread (http://forums.spybot.info/showthread.php?t=17216), so I will just paste her description of the problem:

    Hi,

    I kept getting the following popups:

    a) Windows Security Alert
    Your computer is making unauthorized copies of your system and Internet files. Run scan now to prevent any unauthorised access to your files! Click here to download spyware remover...

    If I click on the YES button to download the spyware remover (I'm not logon though), the browser would bring me to hxxp://go.winantivirus.com/MTY2NjU=/2/6018/ax=1/ed=1/ex=1/455/

    Is this site to be trusted? How can I get rid of this popup?

    b) URGENT!!! Windows Security Notification!
    2953 Privacy Violations Found! Click here to download and install software to eliminate them!

    If I click to download, the browser would go to hxxp://go.privacyprotector.com/.......


    c) Warning: possible malware infection!
    Malware files are detected on your computer! It's strongly recommended to scan your system immediately in order


    d) Your computer is infected!
    Windows has detected spyware infection!
    It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you.
    Click here to protect your computer from spyware!

    If I click where it instructed, the browser goes to the hxxp://go.winantivirus.com/MTY2NjU=/2/6018/ax=1/ed=1/ex=1/455/

    I've tried using the spybot to check problems and to fix them but after rebooting the system, the errors appear again.

    What has happened to my system and What should I do? Thanks!
    I would ony add the additional symptom that access to Control Panel appears to have disappeared, and that Norton Internet Security / Antivirus detects no problem.

    Here is the Hijack log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:25:28 AM, on 9/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    D:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
    C:\WINDOWS\System32\rcssrv.exe
    C:\Program Files\Dantz\Client\Remotsvc.exe
    D:\Program Files\GeoGraphix\AdaptiveServer90\win32\dbsrv9.exe
    C:\Program Files\Dantz\Client\retroclient.exe
    C:\WINDOWS\System32\winntify.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Program Files\GeoGraphix\Tools\GeoSync.exe
    C:\WINDOWS\system32\printer.exe
    C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Pando Networks\Pando\Pando.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r4.attbi.com
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: system.exe
    O4 - Global Startup: autorun.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O20 - AppInit_DLLs: systems.txt
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: GeoGraphix FLEXlm License Service - GLOBEtrotter Software Inc. - C:\GGraphix\Security\lmgrd.exe
    O23 - Service: GGX List Service (v2) - Landmark Graphics Corporation - D:\Program Files\GeoGraphix\Tools\GeoSync.exe
    O23 - Service: GGX Network Access Service - Landmark Graphics Corporation - D:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
    O23 - Service: RAID Configuration Service (RAIDService) - Unknown owner - C:\WINDOWS\System32\rcssrv.exe
    O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
    O23 - Service: GGX Database Service (SQLANYs_GGX) - iAnywhere Solutions, Inc. - D:\Program Files\GeoGraphix\AdaptiveServer90\win32\dbsrv9.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    --
    End of file - 9141 bytes
    Help in exorcising this disruptive problem will be much appreciated.

    BolderBiker

  2. #2
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,076

    Default

    hi BolderBiker,

    first we will use hjt, then look for some files to delete:

    scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe

    O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe

    O4 - Startup: system.exe
    O4 - Global Startup: autorun.exe
    O20 - AppInit_DLLs: systems.txt
    -----------------
    next:
    navigate to the system32 dir and look for and delete these three .exe's

    WinAvXX.exe
    printer.exe
    winntify.exe

    if you cant delete them bring up task manager by clicking on ctrl-alt-delete. if you see them listed under the process tab, click and end process on them. then try to delete the .exe
    --------------------------
    first stop is here:
    Download SmitfraudFix (by S!Ri) to your Desktop:

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip


    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press Enter

    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named: c:\rapport.txt

    stop at this point and post a HijackThis log along with the contents of the c:\rapport.txt.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    ---------------------------
    next stop:
    Please download ComboFix (by sUBs) from one of the following links:

    http://www.techsupportforum.com/sect...s/ComboFix.exe

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Save it to the Desktop.
    Double-click combofix.exe and follow the prompts.

    CAUTION: Do not mouse-click ComboFix's window while it is running.
    It may cause it to stall.

    When finished, it produces a log.

    Please provide the contents of the ComboFix log in your reply--
    -----------------------------
    after the above, post a new hjt log, the smitfraud log and the combofix log.

    shelf life
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Sep 2007
    Posts
    7

    Default

    Hi Shelf Life: Many thanks for your help.

    Before the SmitfraudFix "C:\rapport.txt" report, I should mention that this pesky thing is switching off Norton Internet Securities' "Phishing Protection", even after I have restored it using Symantec's fix.

    Anyway, here is the :C:\rapport.txt" report, after having completed all the preceding steps that you outlined:

    SmitFraudFix v2.221

    Scan done at 20:33:37.21, Thu 09/06/2007
    Run from C:\Documents and Settings\lloyd\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    D:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
    C:\WINDOWS\System32\rcssrv.exe
    C:\Program Files\Dantz\Client\Remotsvc.exe
    C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\GeoGraphix\AdaptiveServer90\win32\dbsrv9.exe
    C:\Program Files\Dantz\Client\retroclient.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Pando Networks\Pando\Pando.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Program Files\GeoGraphix\Tools\GeoSync.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe

    hosts

    hosts file corrupted !

    192.168.200.3 download.microsoft.com
    192.168.200.3 downloads.microsoft.com
    192.168.200.3 go.microsoft.com
    192.168.200.3 microsoft.com
    192.168.200.3 msdn.microsoft.com
    192.168.200.3 office.microsoft.com
    192.168.200.3 support.microsoft.com
    192.168.200.3 windowsupdate.microsoft.com
    192.168.200.3 www.microsoft.com
    192.168.200.3 pandasoftware.com
    192.168.200.3 www.pandasoftware.com

    C:\


    C:\WINDOWS


    C:\WINDOWS\system


    C:\WINDOWS\Web


    C:\WINDOWS\system32


    C:\WINDOWS\system32\LogFiles


    C:\Documents and Settings\lloyd


    C:\Documents and Settings\lloyd\Application Data


    Start Menu


    C:\DOCUME~1\lloyd\FAVORI~1


    Desktop


    C:\Program Files


    Corrupted keys


    Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    Rustock



    DNS

    Description: Intel 8255x-based PCI Ethernet Adapter (10/100) - Packet Scheduler Miniport
    DNS Server Search Order: 68.87.85.98
    DNS Server Search Order: 68.87.69.146

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{340AAB85-487B-4A6B-A31E-D9800FE25239}: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{340AAB85-487B-4A6B-A31E-D9800FE25239}: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{340AAB85-487B-4A6B-A31E-D9800FE25239}: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146


    Scanning for wininet.dll infection


    End
    And this is the HijackThis log of the HJT scan that I ran right after:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:01:57 PM, on 9/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    D:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
    C:\WINDOWS\System32\rcssrv.exe
    C:\Program Files\Dantz\Client\Remotsvc.exe
    C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\GeoGraphix\AdaptiveServer90\win32\dbsrv9.exe
    C:\Program Files\Dantz\Client\retroclient.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Pando Networks\Pando\Pando.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Program Files\GeoGraphix\Tools\GeoSync.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r4.attbi.com
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: GeoGraphix FLEXlm License Service - GLOBEtrotter Software Inc. - C:\GGraphix\Security\lmgrd.exe
    O23 - Service: GGX List Service (v2) - Landmark Graphics Corporation - D:\Program Files\GeoGraphix\Tools\GeoSync.exe
    O23 - Service: GGX Network Access Service - Landmark Graphics Corporation - D:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
    O23 - Service: RAID Configuration Service (RAIDService) - Unknown owner - C:\WINDOWS\System32\rcssrv.exe
    O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
    O23 - Service: GGX Database Service (SQLANYs_GGX) - iAnywhere Solutions, Inc. - D:\Program Files\GeoGraphix\AdaptiveServer90\win32\dbsrv9.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: Windows Notification Service (Winnotify) - Unknown owner - C:\WINDOWS\System32\winntify.exe (file missing)

    --
    End of file - 8841 bytes
    My next post will have a the combofix log and new smitfraud and HJT logs.

    Again, many thanks for your help Shelf Life.

    BolderBiker

  4. #4
    Junior Member
    Join Date
    Sep 2007
    Posts
    7

    Default

    Hello, again, Shelf Life:

    These are the final set of reports.

    First, the ComboFix log:

    ComboFix 07-08-30.3 - "lloyd" 2007-09-06 21:09:02.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1558 [GMT -6:00]
    * Created a new restore point


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    E:\Autorun.inf


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_WINNOTIFY
    -------\Winnotify


    ((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))


    2007-09-06 21:08 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-09-06 20:33 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-09-06 20:33 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-09-06 20:33 3,846 --a------ C:\WINDOWS\system32\tmp.reg
    2007-09-06 20:33 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-09-06 20:33 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-09-06 11:24 <DIR> d-------- C:\Program Files\Trend Micro


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-09-06 21:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
    2007-09-06 14:38 --------- d-------- C:\Program Files\Common Files\Symantec Shared
    2007-09-04 14:41 --------- d-------- C:\Program Files\Wisdom-soft ScreenHunter
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
    2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
    2007-07-14 07:02 --------- d-------- C:\Program Files\Rainbow Technologies
    2007-07-14 07:02 --------- d-------- C:\Program Files\Common Files\ESRI
    2007-07-14 07:02 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GeoGraphix
    2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
    2007-06-20 14:10 60968 --a------ C:\DOCUME~1\lloyd\GoToAssistDownloadHelper.exe
    2007-06-19 07:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
    2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
    2006-12-06 14:43 630784 --a------ C:\DOCUME~1\lloyd\GoToAssist_chat2way__317_en.exe
    2006-05-02 09:08 630784 --a------ C:\DOCUME~1\lloyd\chatlnk.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Matrox PowerDesk 8"="C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe" [2004-08-19 11:12]
    "NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 04:50]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
    "RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 17:44]
    "RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-01 13:46]
    "RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 11:38]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 11:38]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-30 03:10]
    "MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [2005-04-13 23:07]
    "MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 16:04]
    "mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 17:24]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 19:22]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 10:24]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 08:49]
    "Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-07-11 20:59]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

    C:\DOCUME~1\lloyd\STARTM~1\Programs\Startup\
    PowerReg Scheduler.exe [2004-07-07 11:02:02]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    R0 raidsrc;raidsrc;C:\WINDOWS\system32\drivers\raidsrc.sys
    R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys
    R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
    R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
    R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
    R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
    R2 GGX List Service (v2);GGX List Service (v2);"D:\Program Files\GeoGraphix\Tools\GeoSync.exe"
    R2 GGX Network Access Service;GGX Network Access Service;"D:\Program Files\GeoGraphix\Tools\GGXNASrv.exe"
    R2 RAIDService;RAID Configuration Service;C:\WINDOWS\System32\rcssrv.exe
    R2 Retrospect Client;Retrospect Client;C:\Program Files\Dantz\Client\Remotsvc.exe
    R2 SQLANYs_GGX;GGX Database Service;"D:\Program Files\GeoGraphix\AdaptiveServer90\win32\dbsrv9.exe" -hvSQLANYs_GGX
    R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
    R3 MTXPARH;MTXPARH;C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys
    R3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
    S2 GeoGraphix FLEXlm License Service;GeoGraphix FLEXlm License Service;C:\GGraphix\Security\lmgrd.exe
    S2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
    S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
    S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
    S3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS

    *Newly Created Service* - COMHOST

    Contents of the 'Scheduled Tasks' folder
    2007-09-01 04:29:30 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - lloyd.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-09-06 21:12:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************


    Completion time: 2007-09-06 21:14:37 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-09-06 21:14

    --- E O F ---
    I should mention that the computer rebooted during the Combfix scan. I assume that this is normal.

    Then I ran SmitfraudFix, with the following log created:

    SmitFraudFix v2.221

    Scan done at 21:25:38.21, Thu 09/06/2007
    Run from C:\Documents and Settings\lloyd\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    D:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
    C:\WINDOWS\System32\rcssrv.exe
    C:\Program Files\Dantz\Client\Remotsvc.exe
    D:\Program Files\GeoGraphix\AdaptiveServer90\win32\dbsrv9.exe
    C:\Program Files\Dantz\Client\retroclient.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Program Files\GeoGraphix\Tools\GeoSync.exe
    C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Pando Networks\Pando\Pando.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe

    hosts


    C:\


    C:\WINDOWS


    C:\WINDOWS\system


    C:\WINDOWS\Web


    C:\WINDOWS\system32


    C:\WINDOWS\system32\LogFiles


    C:\Documents and Settings\lloyd


    C:\Documents and Settings\lloyd\Application Data


    Start Menu


    C:\DOCUME~1\lloyd\FAVORI~1


    Desktop


    C:\Program Files


    Corrupted keys


    Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    Rustock



    DNS

    Description: Intel 8255x-based PCI Ethernet Adapter (10/100) - Packet Scheduler Miniport
    DNS Server Search Order: 68.87.85.98
    DNS Server Search Order: 68.87.69.146

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{340AAB85-487B-4A6B-A31E-D9800FE25239}: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{340AAB85-487B-4A6B-A31E-D9800FE25239}: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{340AAB85-487B-4A6B-A31E-D9800FE25239}: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146


    Scanning for wininet.dll infection


    End
    I have put the final HJT scan log in my next post, as the forum informs me that the post is too long otherwise.

    BolderBiker

  5. #5
    Junior Member
    Join Date
    Sep 2007
    Posts
    7

    Default

    Shel Life, this is the log from the final HJT scan, run after the Smitfraudfix scan, whose log is in the preceding post:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:30:04 PM, on 9/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    D:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
    C:\WINDOWS\System32\rcssrv.exe
    C:\Program Files\Dantz\Client\Remotsvc.exe
    D:\Program Files\GeoGraphix\AdaptiveServer90\win32\dbsrv9.exe
    C:\Program Files\Dantz\Client\retroclient.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Program Files\GeoGraphix\Tools\GeoSync.exe
    C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Pando Networks\Pando\Pando.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r4.attbi.com
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: GeoGraphix FLEXlm License Service - GLOBEtrotter Software Inc. - C:\GGraphix\Security\lmgrd.exe
    O23 - Service: GGX List Service (v2) - Landmark Graphics Corporation - D:\Program Files\GeoGraphix\Tools\GeoSync.exe
    O23 - Service: GGX Network Access Service - Landmark Graphics Corporation - D:\Program Files\GeoGraphix\Tools\GGXNASrv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
    O23 - Service: RAID Configuration Service (RAIDService) - Unknown owner - C:\WINDOWS\System32\rcssrv.exe
    O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
    O23 - Service: GGX Database Service (SQLANYs_GGX) - iAnywhere Solutions, Inc. - D:\Program Files\GeoGraphix\AdaptiveServer90\win32\dbsrv9.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    --
    End of file - 8564 bytes
    I hope that I completed everything as you requested, Shelf Life.

    Many thanks.

    BolderBiker

  6. #6
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,076

    Default

    hi BolderBiker,

    ok thanks for all the info. hows it looking on that end now?

    shelf life
    How Can I Reduce My Risk?

  7. #7
    Junior Member
    Join Date
    Sep 2007
    Posts
    7

    Default

    Hi Shelf Life:

    It looks like your prescriptive instructions has cured the problem. Thank you. I will do some work on the computer for a while to see if the problems re-occur but I believe the nightmare may be over. Do you know what type of infection/intrusion my computer experienced?

    BTW, I agree "Security is a Process, Not a Product"......Unfortunately, a process I violated when clicking unwisely on a misleading pop-up on an otherwise innocent site.

    BolderBiker

  8. #8
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,076

    Default

    hi BolderBiker,

    ok good. cruise around make sure its all ok.

    Do you know what type of infection/intrusion my computer experienced
    its called smitfraud. there are countless different fake spyware removers you are prompted to download. they scan and find all kinds of horrible stuff on your computer. the catch is to "remove it" will cost you a fee.

    and you can get it from a malicious website and many other ways.
    i have some short malware install videos on my website. one is from just visitng a website:

    http://security-central.us/SafeHex/trojan%20video.htm

    once it all looks good we will make new restore points.


    shelf life
    How Can I Reduce My Risk?

  9. #9
    Junior Member
    Join Date
    Sep 2007
    Posts
    7

    Default

    Hi Shelf Life:

    I have worked with the computer all day, and it seems to be back to normal. I guess computers are like your body: you don't fully appreciate good health until you don't have it! Should I now go ahead and create a restore point?

    BolderBiker

  10. #10
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,076

    Default

    hi BolderBiker,

    be back to normal
    good

    now go ahead and create a restore point?
    yes, you can do it like this:

    One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is agood idea after malware is removed.

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    (winXP)

    1. Turn off System Restore. (deletes old possibly infected restore point)
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.(new restore points on a clean system)
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK, then reboot
    -----------------------------
    How to Turn On and Turn Off System Restore in Windows XP
    http://support.microsoft.com/default...b;en-us;310405

    happy safe surfing.

    shelf life
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •