Spybot Logo
Go Back   Safer-Networking Forums > General Malware > Archives
Reload this Page smitfraud, winantiviruspro infection
Register ProjectsBlogs FAQ Search Today's Posts Mark Forums Read Home Support Download Donate

 
Page 1 of 2 1 2
 
Thread Tools Display Modes
Old 2007-03-19, 15:33   #1
baycam1
Junior Member
 
Join Date: Mar 2007
Posts: 5
Default smitfraud, winantiviruspro infection
My PC is infected with a few items that spybot can find but cannot get rid of. Can somebody please assist me? I have included my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:23:31 AM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\LxrJD31s.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\security\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...R7xB2G4p1PbSsQ
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O3 - Toolbar: Starware Screensavers Toolbar - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - blank (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in_1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINNT\system32\bvkbvfbk.dll",setvm
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PhotoCenter.lnk = C:\Program Files\ExpressDigital\PhotoCenter\PhotoCenter.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe

Thank you for whatever help you can provide.
baycam1 is offline  
Old 2007-03-19, 19:20   #2
Angelfire777
Visiting Staff
 
Angelfire777's Avatar
 
Join Date: Dec 2006
Posts: 753
Default
Hi, welcome to Safer Networking forums!

*It is possible that some of the entries are hiding from us, so please rename HijackThis.exe to something like angelfire777.exe

*Please download VundoFix.exe to your Desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run any other options except for Option # 1.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
__________________
AngelFire777

Proud member of UNITE and ASAP since 2006.
Angelfire777 is offline  
Old 2007-03-19, 21:55   #3
baycam1
Junior Member
 
Join Date: Mar 2007
Posts: 5
Default
followed directions you supplied, here are the new logs:

vundofix:


VundoFix V6.3.17

Checking Java version...

Scan started at 2:13:19 PM 3/19/2007

Listing files found while scanning....

blank
C:\Documents and settings\FRONT\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\FRONT\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\WINNT\system32\amqcmqfx.exe
C:\WINNT\system32\huaggjbv.exe
C:\WINNT\system32\jjjlm.bak1
C:\WINNT\system32\jjjlm.bak2
C:\WINNT\system32\jjjlm.ini
C:\WINNT\system32\jjjlm.ini2
C:\WINNT\system32\jjjlm.tmp
C:\WINNT\system32\mljjj.dll
C:\WINNT\system32\mxxyoipc.exe
C:\WINNT\system32\ovqnqbsc.exe
C:\WINNT\system32\tkyxhqet.exe
C:\WINNT\system32\ugnrmdea.exe
C:\WINNT\system32\usvjudmr.exe
C:\WINNT\system32\veuctqcc.exe
C:\WINNT\system32\xxywwtt.dll
C:\WINNT\system32\yvsfvrqy.exe

Beginning removal...

Attempting to delete C:\Documents and settings\FRONT\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\FRONT\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

Attempting to delete C:\Documents and settings\FRONT\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\FRONT\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

Attempting to delete C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\Program Files\VSAdd-in\VSAdd-in.dll Has been deleted!

Attempting to delete C:\WINNT\system32\amqcmqfx.exe
C:\WINNT\system32\amqcmqfx.exe Has been deleted!

Attempting to delete C:\WINNT\system32\huaggjbv.exe
C:\WINNT\system32\huaggjbv.exe Has been deleted!

Attempting to delete C:\WINNT\system32\jjjlm.bak1
C:\WINNT\system32\jjjlm.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\jjjlm.bak2
C:\WINNT\system32\jjjlm.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\jjjlm.ini
C:\WINNT\system32\jjjlm.ini Has been deleted!

Attempting to delete C:\WINNT\system32\jjjlm.ini2
C:\WINNT\system32\jjjlm.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\jjjlm.tmp
C:\WINNT\system32\jjjlm.tmp Has been deleted!

Attempting to delete C:\WINNT\system32\mljjj.dll
C:\WINNT\system32\mljjj.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mxxyoipc.exe
C:\WINNT\system32\mxxyoipc.exe Has been deleted!

Attempting to delete C:\WINNT\system32\ovqnqbsc.exe
C:\WINNT\system32\ovqnqbsc.exe Has been deleted!

Attempting to delete C:\WINNT\system32\tkyxhqet.exe
C:\WINNT\system32\tkyxhqet.exe Has been deleted!

Attempting to delete C:\WINNT\system32\ugnrmdea.exe
C:\WINNT\system32\ugnrmdea.exe Has been deleted!

Attempting to delete C:\WINNT\system32\usvjudmr.exe
C:\WINNT\system32\usvjudmr.exe Has been deleted!

Attempting to delete C:\WINNT\system32\veuctqcc.exe
C:\WINNT\system32\veuctqcc.exe Has been deleted!

Attempting to delete C:\WINNT\system32\xxywwtt.dll
C:\WINNT\system32\xxywwtt.dll Has been deleted!

Attempting to delete C:\WINNT\system32\yvsfvrqy.exe
C:\WINNT\system32\yvsfvrqy.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Scan started at 2:41:34 PM 3/19/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.17

Checking Java version...

Scan started at 3:30:17 PM 3/19/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.17

Checking Java version...

Scan started at 4:39:33 PM 3/19/2007

Listing files found while scanning....

No infected files were found.

smitfraudfix:

SmitFraudFix v2.150

Scan done at 16:52:11.81, Mon 03/19/2007
Run from C:\Documents and Settings\FRONT\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\FRONT


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\FRONT\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\FRONT\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 4:54:20 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\LxrJD31s.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\notepad.exe
C:\security\angel.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINNT\system32\bvkbvfbk.dll",setvm
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PhotoCenter.lnk = C:\Program Files\ExpressDigital\PhotoCenter\PhotoCenter.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe

thanks
baycam1 is offline  
Old 2007-03-20, 01:57   #4
Angelfire777
Visiting Staff
 
Angelfire777's Avatar
 
Join Date: Dec 2006
Posts: 753
Default
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
__________________
AngelFire777

Proud member of UNITE and ASAP since 2006.
Angelfire777 is offline  
Old 2007-03-21, 13:45   #5
baycam1
Junior Member
 
Join Date: Mar 2007
Posts: 5
Default
thank you very much for the help!

okay here they are:

sdfix:


SDFix: Version 1.74

Run by FRONT - Wed 03/21/2007 - 8:36:03.68

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

"" -e mc-110-12-0000137

Client IP-IPX Deleted


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Program Files\A.ico - Deleted
C:\Program Files\B.ico - Deleted
C:\WINNT\system32\netstat.com - Deleted
C:\WINNT\system32\taskkill.com - Deleted
C:\WINNT\system32\unsvchosts.lzma - Deleted



ADS Check:

C:\WINNT\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\ExpressDigital\\PhotoCenter\\PhotoCenter.exe"="C:\\Program Files\\ExpressDigital\\PhotoCenter\\PhotoCenter.exe:*:Enabled:PhotoCenter"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\WINNT\system32\cmd.com
C:\WINNT\system32\ping.com
C:\WINNT\system32\regedit.com
C:\WINNT\system32\tasklist.com
C:\WINNT\system32\tracert.com
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

Finished

new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:41:48 AM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\LxrJD31s.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\security\angel.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINNT\system32\bvkbvfbk.dll",setvm
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PhotoCenter.lnk = C:\Program Files\ExpressDigital\PhotoCenter\PhotoCenter.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe

THANKS!
baycam1 is offline  
Old 2007-03-21, 16:48   #6
Angelfire777
Visiting Staff
 
Angelfire777's Avatar
 
Join Date: Dec 2006
Posts: 753
Default
Hi,

Uninstall the item in bold beolow:

MyWebSearch


*A few optionals that I would recommend be uninstalled.

LimeWire
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

*Reboot
___________

*Update AVG Anti-Spyware
  • From the main AVG Anti-Spyware screen, click on Update, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit AVG Anti-Spyware. DO NOT scan yet.

*Download ATF Cleaner by Atribune

Do not use it yet.


*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINNT\system32\bvkbvfbk.dll",setvm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZNfox000


Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_____________

*You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


*Configure your machine to view hidden files:

Windows XP
  • Click Start.
  • Open My Computer..
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the "Hidden files and folders" heading select Show hidden files and folders.
  • Uncheck the Hide Protected Operating System Files Option.
  • Click Yes to confirm.
  • Click OK.

*Using Windows Explorer, find and delete these files:

C:\WINNT\system32\bvkbvfbk.dl
C:\WINNT\system32\cmd.com
C:\WINNT\system32\ping.com
C:\WINNT\system32\regedit.com
C:\WINNT\system32\tasklist.com
C:\WINNT\system32\tracert.com
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

Delete the following if you uninstalled limewire:

C:\program files\limewire

Empty your Recycle bin.
__________________-

*Important: Make sure all your browsers are closed before running ATF Cleaner..
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

*Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
  • Launch AVG AntiSpyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
  • Close AVG AntiSpyware.
  • Reboot to normal mode.

On your next reply, please include a fresh HijackThis log, AVG Antispyware log and a description on how your machine is running.
__________________
AngelFire777

Proud member of UNITE and ASAP since 2006.
Angelfire777 is offline  
Old 2007-03-21, 18:39   #7
baycam1
Junior Member
 
Join Date: Mar 2007
Posts: 5
Default
okay, i didn't find mywebseach or any limewire files on C: or in add/remove. i unistalled limewire a few months ago. everything else went off without a hitch, avg found many items. the avg log is long do you want me to send the whole thing or just a part of it? let me know and i will send whatever you want. the machine seems to be running well, after i post this i will do another spybot search and see if anything comes up. thanks again!

new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 1:24:58 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\LxrJD31s.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINNT\system32\wuauclt.exe
C:\security\angel.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PhotoCenter.lnk = C:\Program Files\ExpressDigital\PhotoCenter\PhotoCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
baycam1 is offline  
Old 2007-03-21, 19:06   #8
Angelfire777
Visiting Staff
 
Angelfire777's Avatar
 
Join Date: Dec 2006
Posts: 753
Default
Hi, you can just post the log and use separate posts for all of it to fit
__________________
AngelFire777

Proud member of UNITE and ASAP since 2006.
Angelfire777 is offline  
Old 2007-03-21, 20:34   #9
baycam1
Junior Member
 
Join Date: Mar 2007
Posts: 5
Default
here is a new avg report. i ran avg again after the first cleanup and it is a shorter log. it would take about 15 posts to get all of the first avg report. i will send it if you want. sorry if this is a pain. thanks

new avg log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:22:16 PM 3/21/2007

+ Scan result:



C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP53\A0006362.exe -> Adware.Bar888 : Cleaned.
C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP54\A0007362.exe -> Adware.Bar888 : Cleaned.
C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP56\A0007430.exe -> Adware.Bar888 : Cleaned.
C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP79\A0012054.exe -> Adware.Bar888 : Cleaned.
C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP79\A0012055.exe -> Adware.Bar888 : Cleaned.
C:\security\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : Cleaned.
C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP99\A0014027.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP99\A0014026.dll -> Adware.TargetServer : Cleaned.
C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP58\A0010184.dll -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP99\A0014028.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\System Volume Information\_restore{42C0B2BF-C98B-41F1-BEC2-CD1E638CB4CB}\RP99\A0014025.exe -> Trojan.Small : Cleaned.


::Report end
baycam1 is offline  
Old 2007-03-22, 06:12   #10
Angelfire777
Visiting Staff
 
Angelfire777's Avatar
 
Join Date: Dec 2006
Posts: 753
Default
Congratulations! Your log looks clean!

Configure Windows Xp to hide system files:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select Do not show hidden files and folders.
  • Check the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.
_______________________
This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» ZoneAlarm
» Kerio

Install SpyWare Blaster
~You can download it from here
~You can read the tutorial on how to use Spyware Blaster here

Install WinPatrol
~You can download it from here
~You can get some information about how WinPatrol works here

IESpyAds
~You can download it from here
~If you want to know how IEspyads work you can take a look at it here
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Happy safe surfing!
__________________
AngelFire777

Proud member of UNITE and ASAP since 2006.
Angelfire777 is offline  
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +2. The time now is 17:23.

Contact Us - Safer-Networking Limited - Archive - Privacy Statement - Top

Copyright © 2000-2010 Safer-Networking Limited. All rights reserved.