View Full Version : virusburst
HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 6:26:36 AM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start
Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All
Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {116D4961-37BF-4A0A-919E-673A1B2D89A0} (CSDVRS) - http://sprintvrs.com/CSDVRS.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152829915739
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: considerateness - {4d993022-0899-4599-b4b6-0f887d0802e6} - C:\WINDOWS\system32\oqabf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
do i need to post the whole Activescan log, because if so, it will take over 25 posts. or should i just post the NOT disinfected ones?
ActiveScan Log::::
Incident Status Location
Virus:W32/Gaobot.MJA.worm Disinfected Operating system
Virus:Trj/Gaodrop.A Disinfected Operating system
Adware:Adware/VirusBurst Not disinfected C:\WINDOWS\system32\oqabf.dll
Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\USDR6_0001_D08M0404NetInstaller.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Ali\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/consumeralertsystem Not disinfected c:\program files\System Files
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Adware:adware/ucmore Not disinfected Windows Registry
Adware:adware/intcodec Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Virus:Trj/Gaodrop.A Disinfected C:\Documents and Settings\Ali\Complete\ Games.zip[Setup.exe]
Virus:Trj/Gaodrop.A Disinfected C:\Documents and Settings\Ali\Complete\ Music.zip[Setup.exe]
Virus:Trj/Gaodrop.A Disinfected C:\Documents and Settings\Ali\Complete\ Software.zip[Setup.exe]
Virus:Trj/Gaodrop.A Disinfected C:\Documents and Settings\Ali\Complete\!( DJ Smallz - Smokin RnB Volume 1 (2007) [VBR] [ TapeDown.Com RapHustle.Com ].zip[Setup.exe]
Virus:Trj/Gaodrop.A Disinfected C:\Documents and Settings\Ali\Complete\((demonoid com))-windows xp colossus edition 2 updated by drykilllogic [www trackerx com ar].zip[Setup.exe]
-----------------------------------------------------------------------
Virus:W32/Gaobot.MJA.worm Disinfected C:\Documents and Settings\Ali\Desktop\_\ZoneAlarm Pro 6.0.591.002 beta.exe
Virus:W32/Gaobot.MFM.worm Disinfected C:\onoes.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{0C15C3C4-05DA-1033-0930-031120030001}\services.dll
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\iCodecPack\iesplugin.dll
Adware:Adware/IntCodec Not disinfected C:\Program Files\iCodecPack\isamini.exe
Adware:Adware/IntCodec Not disinfected C:\Program Files\iCodecPack\isamonitor.exe
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\iCodecPack\isauninst.exe
Adware:Adware/IntCodec Not disinfected C:\Program Files\iCodecPack\pmmon.exe
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\iCodecPack\pmsngr.exe
Virus:Trj/Gaodrop.A Disinfected C:\Program Files\outlook\p.zip[Setup.exe]
Virus:Trj/Gaodrop.A Disinfected C:\Program Files\outlook\v.tmp
Adware:Adware/Deskwizz Not disinfected C:\RDFX4.exe
Adware:Adware/IntCodec Not disinfected C:\RECYCLER\S-1-5-21-1417001333-1383384898-854245398-1003\Dc43\backup-20060912-002720-776.dll
Virus:W32/Gaobot.MJA.worm Disinfected C:\RECYCLER\S-1-5-21-1417001333-1383384898-854245398-1003\Dc7.exe
Virus:W32/Gaobot.MJA.worm Disinfected C:\RECYCLER\S-1-5-21-1417001333-1383384898-854245398-1003\Dc8.exe
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\srvbhdtacs.exe[nodeipproc.dll]
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvhuzlded.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\Sys\iexplore.006
Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\Sys\iexplore.007
Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\Sys\iexplore.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\VSL05.exe
I ran the Online Scan Again, just to get you a complete log. If this is not needed, my apologies.
ActiveScan Log:
Incident Status Location
Adware:Adware/VirusBurst Not disinfected C:\WINDOWS\system32\oqabf.dll
Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\USDR6_0001_D08M0404NetInstaller.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Ali\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/consumeralertsystem Not disinfected c:\program files\System Files
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Adware:adware/ucmore Not disinfected Windows Registry
Adware:adware/intcodec Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ali\Cookies\ali@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ali\Cookies\ali@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ali\Cookies\ali@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Ali\Cookies\ali@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Ali\Cookies\ali@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Ali\Cookies\ali@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Ali\Cookies\ali@ads.pointroll[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Ali\Cookies\ali@adultfriendfinder[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ali\Cookies\ali@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Ali\Cookies\ali@azjmp[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Ali\Cookies\ali@bravenet[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Ali\Cookies\ali@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Ali\Cookies\ali@burstnet[2].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Ali\Cookies\ali@c.fsx[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ali\Cookies\ali@com[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Ali\Cookies\ali@cs.sexcounter[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Ali\Cookies\ali@fortunecity[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Ali\Cookies\ali@gostats[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ali\Cookies\ali@go[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ali\Cookies\ali@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ali\Cookies\ali@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Ali\Cookies\ali@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Ali\Cookies\ali@serving-sys[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Ali\Cookies\ali@stat.onestat[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Ali\Cookies\ali@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ali\Cookies\ali@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Ali\Cookies\ali@www.burstbeacon[2].txt
Spyware:Cookie/VirusBurst Not disinfected C:\Documents and Settings\Ali\Cookies\ali@www.virusburst[1].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Ali\Cookies\ali@www47.buydomains[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ali\Cookies\ali@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Ali\Cookies\ali@yadro[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ali\Desktop\Ali-000\SmitfraudFix\SmitfraudFix\Process.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{0C15C3C4-05DA-1033-0930-031120030001}\services.dll
Adware:Adware/Deskwizz Not disinfected C:\RDFX4.exe
Adware:Adware/IntCodec Not disinfected C:\RECYCLER\S-1-5-21-1417001333-1383384898-854245398-1003\Dc43\backup-20060912-002720-776.dll
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\srvbhdtacs.exe[nodeipproc.dll]
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvhuzlded.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\VSL05.exe
pskelley
2007-04-03, 18:55
Welcome to the forum, it appears you read the "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
Please review is again, it slows things down when all instructions are not followed:
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
Since that is "Virusburst" read and follow these directions:
http://forums.spybot.info/showthread.php?t=4015
Thanks
Thanks...and here are the results.
Rapport.txt
SmitFraudFix v2.162
Scan done at 22:51:23.06, Tue 04/03/2007
Run from C:\Documents and Settings\Ali\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{4d993022-0899-4599-b4b6-0f887d0802e6}"="considerateness"
[HKEY_CLASSES_ROOT\CLSID\{4d993022-0899-4599-b4b6-0f887d0802e6}\InProcServer32]
@="C:\WINDOWS\system32\oqabf.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4d993022-0899-4599-b4b6-0f887d0802e6}\InProcServer32]
@="C:\WINDOWS\system32\oqabf.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\oqabf.dll -> Hoax.Win32.Renos.gen.d
C:\WINDOWS\system32\oqabf.dll -> Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 11:21:59 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {116D4961-37BF-4A0A-919E-673A1B2D89A0} (CSDVRS) - http://sprintvrs.com/CSDVRS.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152829915739
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
pskelley
2007-04-04, 14:02
Thanks for returning your information, looks like Smitfraudfix did a great job for you, I suggest you do this now.
1) Uninstall this program: C:\Program Files\ewido anti-spyware 4.0\guard.exe it is obsolete, purchased by Grisoft, updated and re-relased as ANY Anti-Spyware 7.5, it is available for a trial if you ever need it.
2) I see no active anti-virus program running on the computer. It is cyber-suicide going online anymore without one. Here are some free ones if needed:
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
3) Makes sure you are running a firewall, if you are depending on the SP2 firewall, I suggest you don't, here are a couple that are freeware:
http://www.jetico.com/index.htm#/jpfirewall.htm
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
4) Unless I am missing something I see no realtime antispyware program running. Read the links from the expert to see what they suggest, but if you need a free one:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
5) Check your Java program for an update:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
6) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
(next item can be left if you are positive it is safe)
O16 - DPF: {116D4961-37BF-4A0A-919E-673A1B2D89A0} (CSDVRS) - http://sprintvrs.com/CSDVRS.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
Close all programs but HJT and all browser windows, then click on "Fix Checked"
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
You may delete Smitfraudfix from your computer, if ever needed again, it must be downloaded fesh from the website.
No need to post again unless you have issues, finish like this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Thank you Thank you Thank you. I cant say it enough.
Here is my HJT last log. I got symantic antivirus. I guess i will search the forum for some other active spyware.
Logfile of HijackThis v1.99.1
Scan saved at 2:33:33 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\utorrent\utorrent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152829915739
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
pskelley
2007-04-04, 21:49
Looks good...safe surfing:bigthumb: