View Full Version : Require Assitance with Smitfraud-c.toolbar888
El_Beefcheesemo
2007-05-28, 16:39
Hello and Good Day!
I was unsuccessful in trying to remove Smitfraud-c.toolbar888 when it was detected by Sbybot S&D, and hope I haven't worsened the state of my system with any cowboy heroics. I think it's time to call in the professionals.
Here is my Hijackthis Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 10:37:37 AM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\MySoftware\InterCom.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijackthis\HijackThis1991.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll (file missing)
O2 - BHO: (no name) - {d7bb897d-1381-4c30-a342-17a07f1d5473} - C:\WINDOWS\system32\kbdatt.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] D:\Avid\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [OpwareSE2] "D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\Ryan\LOCALS~1\Temp\tmp4.tmp.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kbdatt - C:\WINDOWS\SYSTEM32\kbdatt.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - D:\Avid\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Thanks for your help in this matter!
Hi El_Beefcheesemo
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
Post:
- a fresh HijackThis log
- vundofix report
- findawf report
El_Beefcheesemo
2007-05-30, 14:56
Thanks for such a speedy reply!
I followed your posted instructions; here are my new logs:
Logfile of HijackThis v1.99.1
Scan saved at 8:55:43 AM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\MySoftware\InterCom.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Hijackthis\HijackThis1991.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll (file missing)
O2 - BHO: (no name) - {d7bb897d-1381-4c30-a342-17a07f1d5473} - C:\WINDOWS\system32\kbdatt.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] D:\Avid\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [OpwareSE2] "D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\Ryan\LOCALS~1\Temp\tmp4.tmp.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kbdatt - C:\WINDOWS\SYSTEM32\kbdatt.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - D:\Avid\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
VundoFix V6.4.1
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 10:30:07 AM 5/28/2007
Listing files found while scanning....
C:\DOCUME~1\Ryan\LOCALS~1\Temp\tmp2.tmp.dll
C:\WINDOWS\ooopoq.ini
C:\WINDOWS\qopooo.dll
C:\WINDOWS\system32\tmp2.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\ooopoq.ini
C:\WINDOWS\ooopoq.ini Has been deleted!
Attempting to delete C:\WINDOWS\qopooo.dll
C:\WINDOWS\qopooo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 10:43:22 AM 5/28/2007
Listing files found while scanning....
No infected files were found.
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\WINDOWS\BAK
05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
08/11/2006 10:09 PM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
03/17/2007 11:11 AM 37,194 lsasss.exe
1 File(s) 37,194 bytes
Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK
12/03/2002 07:06 PM 45,056 SBDrvDet.exe
1 File(s) 45,056 bytes
Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK
12/18/2003 05:37 PM 184,320 DVDBitSet.exe
07/23/2003 01:42 PM 69,632 DVDTray.exe
2 File(s) 253,952 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
08/01/2006 10:59 AM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK
05/01/2003 07:44 PM 65,536 EngUtil.exe
1 File(s) 65,536 bytes
Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
08/19/2003 02:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes
Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\REMOTE~1\BAK
10/08/2003 05:35 PM 139,264 RcMan.exe
1 File(s) 139,264 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK
06/18/2003 02:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK
09/17/2003 11:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes
Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK
01/09/2004 05:01 PM 868,352 DrgToDsc.exe
1 File(s) 868,352 bytes
Directory of C:\PROGRA~1\INTEL\PROSET~1\NCS\PROSET\BAK
03/02/2004 03:49 PM 86,016 PRONoMgr.exe
1 File(s) 86,016 bytes
Directory of D:\ITUNES\BAK
02/23/2006 04:45 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes
Directory of D:\SCANSOFT\OMNIPA~1.0\BAK
05/08/2003 01:00 PM 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes
Directory of D:\AVID\DIGIDE~1\DRIVERS\BAK
11/16/2004 03:44 PM 27,648 MMERefresh.exe
1 File(s) 27,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
37837 Mar 24 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Aug 11 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
37194 Mar 17 2007 "C:\WINDOWS\system32\bak\lsasss.exe"
37837 Mar 24 2007 "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe"
45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe"
37837 Mar 24 2007 "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe"
184320 Dec 18 2003 "C:\Program Files\HP DVD\Umbrella\bak\DVDBitSet.exe"
37837 Mar 24 2007 "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
69632 Jul 23 2003 "C:\Program Files\HP DVD\Umbrella\bak\DVDTray.exe"
37837 Mar 24 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Aug 1 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
65536 May 1 2003 "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe"
37837 Mar 24 2007 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
139264 Oct 8 2003 "C:\Program Files\Creative\MediaSource\RemoteControl\bak\RcMan.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
868352 Jan 9 2004 "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe"
86016 Mar 2 2004 "C:\Program Files\Intel\PROSetWired\NCS\PROSet\bak\PRONoMgr.exe"
37837 Mar 24 2007 "D:\Itunes\iTunesHelper.exe"
278528 Feb 23 2006 "D:\Itunes\bak\iTunesHelper.exe"
37837 Mar 24 2007 "D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "D:\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
27648 Nov 16 2004 "C:\Program Files\InstallShield Installation Information\{8BFAC5F1-CCD1-46C8-9C00-3CA2CBADFD21}\MMERefresh.exe"
27648 Nov 16 2004 "D:\Avid\Digidesign\Drivers\bak\MMERefresh.exe"
end of report
Your help is most appreciated!
Hi
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll (file missing)
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\Ryan\LOCALS~1\Temp\tmp4.tmp.exe"
O20 - AppInit_DLLs:
Close all windows including browser and press fix checked.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\kbdatt.dll
C:\WINDOWS\system32\ttadbk.*
Click Add Files and Click Close Window
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Copy text below to Notepad and save it as delawf.bat (save it as all files, *.*)
@ECHO OFF
move /Y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
move /Y "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe" "C:\Program Files\Creative\SB Drive Det"
move /Y "C:\Program Files\HP DVD\Umbrella\bak\DVDBitSet.exe" C:\Program Files\HP DVD\Umbrella"
move /Y "C:\Program Files\HP DVD\Umbrella\bak\DVDTray.exe" "C:\Program Files\HP DVD\Umbrella"
move /Y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\Real\Update_OB"
move /Y "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" "C:\Program Files\Common Files\Sonic\Update Manager"
move /Y "D:\Itunes\bak\iTunesHelper.exe" "D:\Itunes"
move /Y "D:\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe" "D:\ScanSoft\OmniPageSE2.0"
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG
(In case you are unsure how to create a bat file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File) with screenshots.)
Boot in safe mode
Doubleclick delawf.bat; black dos windows will flash, that's normal.
Delete this:
C:\WINDOWS\system32\bak\lsasss.exe
Empty Recycle Bin
Reboot
Re-run findawf
Post:
- a fresh HijackThis log
- vundofix report
- findawf report
El_Beefcheesemo
2007-05-31, 16:19
When I scanned with Hijackthis I could not find the following file:
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll (file missing)
Instead I found and checked off a similar looking file for removal:
O2 - BHO: (no name) - {*} - C:\WINDOWS\system32\tmp5.tmp.dll
When I ran Hijackthis and pressed fix checked I received the following error message:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
When I ran the delawf.bat file, it moved the file "realsched.exe" to my desktop
Other than that, everything seemed to proceed according to plan, here are my latest logfiles:
Logfile of HijackThis v1.99.1
Scan saved at 10:19:11 AM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\MySoftware\InterCom.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Hijackthis\HijackThis1991.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {d7bb897d-1381-4c30-a342-17a07f1d5473} - C:\WINDOWS\system32\kbdatt.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] D:\Avid\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [OpwareSE2] "D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - D:\Avid\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
VundoFix V6.4.1
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 10:30:07 AM 5/28/2007
Listing files found while scanning....
C:\DOCUME~1\Ryan\LOCALS~1\Temp\tmp2.tmp.dll
C:\WINDOWS\ooopoq.ini
C:\WINDOWS\qopooo.dll
C:\WINDOWS\system32\tmp2.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\ooopoq.ini
C:\WINDOWS\ooopoq.ini Has been deleted!
Attempting to delete C:\WINDOWS\qopooo.dll
C:\WINDOWS\qopooo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 10:43:22 AM 5/28/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.4.1
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 9:36:52 AM 5/31/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\kbdatt.dll
C:\WINDOWS\system32\kbdatt.dll Has been deleted!
Performing Repairs to the registry.
Done!
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\WINDOWS\BAK
05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK
12/18/2003 05:37 PM 184,320 DVDBitSet.exe
1 File(s) 184,320 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK
05/01/2003 07:44 PM 65,536 EngUtil.exe
1 File(s) 65,536 bytes
Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\REMOTE~1\BAK
10/08/2003 05:35 PM 139,264 RcMan.exe
1 File(s) 139,264 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK
06/18/2003 02:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK
09/17/2003 11:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes
Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK
01/09/2004 05:01 PM 868,352 DrgToDsc.exe
1 File(s) 868,352 bytes
Directory of C:\PROGRA~1\INTEL\PROSET~1\NCS\PROSET\BAK
03/02/2004 03:49 PM 86,016 PRONoMgr.exe
1 File(s) 86,016 bytes
Directory of D:\ITUNES\BAK
0 File(s) 0 bytes
Directory of D:\SCANSOFT\OMNIPA~1.0\BAK
0 File(s) 0 bytes
Directory of D:\AVID\DIGIDE~1\DRIVERS\BAK
11/16/2004 03:44 PM 27,648 MMERefresh.exe
1 File(s) 27,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
37837 Mar 24 2007 "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe"
184320 Dec 18 2003 "C:\Program Files\HP DVD\Umbrella\bak\DVDBitSet.exe"
65536 May 1 2003 "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe"
139264 Oct 8 2003 "C:\Program Files\Creative\MediaSource\RemoteControl\bak\RcMan.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
868352 Jan 9 2004 "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe"
86016 Mar 2 2004 "C:\Program Files\Intel\PROSetWired\NCS\PROSet\bak\PRONoMgr.exe"
27648 Nov 16 2004 "C:\Program Files\InstallShield Installation Information\{8BFAC5F1-CCD1-46C8-9C00-3CA2CBADFD21}\MMERefresh.exe"
27648 Nov 16 2004 "D:\Avid\Digidesign\Drivers\bak\MMERefresh.exe"
end of report
I feel the battle is turning in our favor....
Hi
I agree :)
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {d7bb897d-1381-4c30-a342-17a07f1d5473} - C:\WINDOWS\system32\kbdatt.dll (file missing)
Close all windows including browser and press fix checked.
Copy text below to Notepad and save it as delawf2.bat (save it as all files, *.*)
@ECHO OFF
move /Y "C:\Program Files\HP DVD\Umbrella\bak\DVDBitSet.exe" "C:\Program Files\HP DVD\Umbrella"
Boot in safe mode
Doubleclick delawf2.bat; black dos windows will flash, that's normal.
Reboot
Re-run findawf
Post:
- a fresh HijackThis log
- findawf report
El_Beefcheesemo
2007-06-01, 16:37
I executed your latest round of instructions to the letter, and everything seemed to work fine.
Here are my revised logfiles:
Logfile of HijackThis v1.99.1
Scan saved at 10:36:00 AM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\MySoftware\InterCom.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis1991.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] D:\Avid\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [OpwareSE2] "D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - D:\Avid\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\WINDOWS\BAK
05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK
05/01/2003 07:44 PM 65,536 EngUtil.exe
1 File(s) 65,536 bytes
Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\REMOTE~1\BAK
10/08/2003 05:35 PM 139,264 RcMan.exe
1 File(s) 139,264 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK
06/18/2003 02:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK
09/17/2003 11:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes
Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK
01/09/2004 05:01 PM 868,352 DrgToDsc.exe
1 File(s) 868,352 bytes
Directory of C:\PROGRA~1\INTEL\PROSET~1\NCS\PROSET\BAK
03/02/2004 03:49 PM 86,016 PRONoMgr.exe
1 File(s) 86,016 bytes
Directory of D:\ITUNES\BAK
0 File(s) 0 bytes
Directory of D:\SCANSOFT\OMNIPA~1.0\BAK
0 File(s) 0 bytes
Directory of D:\AVID\DIGIDE~1\DRIVERS\BAK
11/16/2004 03:44 PM 27,648 MMERefresh.exe
1 File(s) 27,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
65536 May 1 2003 "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe"
139264 Oct 8 2003 "C:\Program Files\Creative\MediaSource\RemoteControl\bak\RcMan.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
868352 Jan 9 2004 "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe"
86016 Mar 2 2004 "C:\Program Files\Intel\PROSetWired\NCS\PROSet\bak\PRONoMgr.exe"
27648 Nov 16 2004 "C:\Program Files\InstallShield Installation Information\{8BFAC5F1-CCD1-46C8-9C00-3CA2CBADFD21}\MMERefresh.exe"
27648 Nov 16 2004 "D:\Avid\Digidesign\Drivers\bak\MMERefresh.exe"
end of report
I can feel the Malware's vile grip on my system loosening...
Hi
Yes, looking very good :)
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Post:
- a fresh HijackThis log
- kaspersky report
El_Beefcheesemo
2007-06-02, 18:15
The latest set of instructions were carried out without a hitch. Here are the logfiles:
Logfile of HijackThis v1.99.1
Scan saved at 12:15:39 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\MySoftware\InterCom.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis1991.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] D:\Avid\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [OpwareSE2] "D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - D:\Avid\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 02, 2007 12:13:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 2/06/2007
Kaspersky Anti-Virus database records: 336449
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 98518
Number of viruses found: 6
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 00:39:47
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ryan\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ryan\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\~DFB33F.tmp Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\~DFB349.tmp Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\8BLZ26V1\drf1178390000[1].htm.exe Infected: Trojan-Downloader.Win32.ConHook.bf skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ryan\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe1174747503 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\VundoFix Backups\kbdatt.dll.bad Infected: Trojan-Downloader.Win32.ConHook.ba skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\tmp6.tmp.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000010-00000000-00000000-00001102-00000004-20011102}.CDF Object is locked skipped
D:\Adobe Photoshop CS2\keygen.exe Infected: not-a-virus:AdWare.Win32.WinAD.bt skipped
D:\Photoshop CS2\Adobe(R) Photoshop(R) CS2\keygen.exe Infected: not-a-virus:AdWare.Win32.WinAD.bt skipped
D:\Photoshop CS2\Bonus Folder\Extreme Internet TV Proffesional.rar/Extreme Internet TV Pro/Extreme Internet TV Pro/Extreme Internet TV Pro/keygen.exe Infected: not-a-virus:AdWare.Win32.WinAD.bt skipped
D:\Photoshop CS2\Bonus Folder\Extreme Internet TV Proffesional.rar/Extreme Internet TV Pro/Extreme Internet TV Pro/Extreme Internet TV Pro.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.WinAD.bt skipped
D:\Photoshop CS2\Bonus Folder\Extreme Internet TV Proffesional.rar/Extreme Internet TV Pro/Extreme Internet TV Pro/Extreme Internet TV Pro.rar Infected: not-a-virus:AdWare.Win32.WinAD.bt skipped
D:\Photoshop CS2\Bonus Folder\Extreme Internet TV Proffesional.rar/Extreme Internet TV Pro/Extreme Internet TV Pro/keygen.exe Infected: not-a-virus:AdWare.Win32.WinAD.bt skipped
D:\Photoshop CS2\Bonus Folder\Extreme Internet TV Proffesional.rar/Extreme Internet TV Pro/keygen.exe Infected: not-a-virus:AdWare.Win32.WinAD.bt skipped
D:\Photoshop CS2\Bonus Folder\Extreme Internet TV Proffesional.rar RAR: infected - 5 skipped
D:\Photoshop CS2\keygen.exe Infected: not-a-virus:AdWare.Win32.WinAD.bt skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Hi
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
El_Beefcheesemo
2007-06-03, 14:33
Hello!
Here's the logfile; so what's the verdict doctor?
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\WINDOWS\BAK
05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK
05/01/2003 07:44 PM 65,536 EngUtil.exe
1 File(s) 65,536 bytes
Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\REMOTE~1\BAK
10/08/2003 05:35 PM 139,264 RcMan.exe
1 File(s) 139,264 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK
06/18/2003 02:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK
09/17/2003 11:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes
Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK
01/09/2004 05:01 PM 868,352 DrgToDsc.exe
1 File(s) 868,352 bytes
Directory of C:\PROGRA~1\INTEL\PROSET~1\NCS\PROSET\BAK
03/02/2004 03:49 PM 86,016 PRONoMgr.exe
1 File(s) 86,016 bytes
Directory of D:\ITUNES\BAK
0 File(s) 0 bytes
Directory of D:\SCANSOFT\OMNIPA~1.0\BAK
0 File(s) 0 bytes
Directory of D:\AVID\DIGIDE~1\DRIVERS\BAK
11/16/2004 03:44 PM 27,648 MMERefresh.exe
1 File(s) 27,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
65536 May 1 2003 "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe"
139264 Oct 8 2003 "C:\Program Files\Creative\MediaSource\RemoteControl\bak\RcMan.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
868352 Jan 9 2004 "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe"
86016 Mar 2 2004 "C:\Program Files\Intel\PROSetWired\NCS\PROSet\bak\PRONoMgr.exe"
27648 Nov 16 2004 "C:\Program Files\InstallShield Installation Information\{8BFAC5F1-CCD1-46C8-9C00-3CA2CBADFD21}\MMERefresh.exe"
27648 Nov 16 2004 "D:\Avid\Digidesign\Drivers\bak\MMERefresh.exe"
end of report
Hi
Copy text below to Notepad and save it as delawf.bat (save it as all files, *.*)
@ECHO OFF
move /Y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\Real\Update_OB"
move /Y "C:\Program Files\Intel\PROSetWired\NCS\PROSet\bak\PRONoMgr.exe" "C:\Program Files\Intel\PROSetWired\NCS\PROSet"
move /Y "C:\WINDOWS\bak\UpdReg.EXE" "C:\WINDOWS"
move /Y "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe" "C:\Program Files\Common Files\Roxio Shared\System"
move /Y "C:\Program Files\Creative\MediaSource\RemoteControl\bak\RcMan.exe" "C:\Program Files\Creative\MediaSource\RemoteControl"
move /Y "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE" "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio"
move /Y "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe" "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer"
move /Y "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe" "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc"
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG
(In case you are unsure how to create a bat file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File) with screenshots.)
Boot in safe mode
Doubleclick delawf.bat; black dos windows will flash, that's normal.
Reboot
Re-run findawf
Post:
- a fresh HijackThis log
- awf report
El_Beefcheesemo
2007-06-06, 14:37
Hello!
I created and ran delawf.bat in safe mode - upon reboot my soundblaster volume control was muted (odd?). Besides that, everything seems to be going according to plan. Here is my logfiles:
Logfile of HijackThis v1.99.1
Scan saved at 8:38:25 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\MySoftware\InterCom.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis1991.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] D:\Avid\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [OpwareSE2] "D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - D:\Avid\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\WINDOWS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\REMOTE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\INTEL\PROSET~1\NCS\PROSET\BAK
0 File(s) 0 bytes
Directory of D:\ITUNES\BAK
0 File(s) 0 bytes
Directory of D:\SCANSOFT\OMNIPA~1.0\BAK
0 File(s) 0 bytes
Directory of D:\AVID\DIGIDE~1\DRIVERS\BAK
11/16/2004 03:44 PM 27,648 MMERefresh.exe
1 File(s) 27,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
27648 Nov 16 2004 "C:\Program Files\InstallShield Installation Information\{8BFAC5F1-CCD1-46C8-9C00-3CA2CBADFD21}\MMERefresh.exe"
27648 Nov 16 2004 "D:\Avid\Digidesign\Drivers\bak\MMERefresh.exe"
end of report
Cheers!
Hi
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.exe).
Save it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\8BLZ26V1\drf1178390000[1].htm.exe
C:\WINDOWS\system32\tmp6.tmp.dll
D:\Adobe Photoshop CS2\keygen.exe
D:\Photoshop CS2\Bonus Folder\Extreme Internet TV Proffesional.rar
D:\Photoshop CS2\keygen.exe
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Empty this folder:
C:\!KillBox
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
El_Beefcheesemo
2007-06-07, 00:23
Once again, I have downloaded this file and run it, and here is it's logfile :)
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\WINDOWS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\REMOTE~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\INTEL\PROSET~1\NCS\PROSET\BAK
0 File(s) 0 bytes
Directory of D:\ITUNES\BAK
0 File(s) 0 bytes
Directory of D:\SCANSOFT\OMNIPA~1.0\BAK
0 File(s) 0 bytes
Directory of D:\AVID\DIGIDE~1\DRIVERS\BAK
11/16/2004 03:44 PM 27,648 MMERefresh.exe
1 File(s) 27,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
27648 Nov 16 2004 "C:\Program Files\InstallShield Installation Information\{8BFAC5F1-CCD1-46C8-9C00-3CA2CBADFD21}\MMERefresh.exe"
27648 Nov 16 2004 "D:\Avid\Digidesign\Drivers\bak\MMERefresh.exe"
end of report
El_Beefcheesemo
2007-06-07, 00:26
So sorry, please ignore my last post, I accidentally responded to an earlier message in the thread. I will carry out your latest instructions and post a new reply.
El_Beefcheesemo
2007-06-08, 04:06
Ok! I Ran Killbox and Re-Scanned Kaspersky, and here are the results:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:58 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\MySoftware\InterCom.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Itunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Hijackthis\HijackThis1991.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] D:\Avid\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [OpwareSE2] "D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - D:\Avid\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 07, 2007 10:05:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/06/2007
Kaspersky Anti-Virus database records: 341508
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\
Scan Statistics:
Total number of scanned objects: 120875
Number of viruses found: 6
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 00:52:57
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ryan\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ryan\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\History\History.IE5\MSHist012007060720070608\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\~DF189.tmp Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\~DF191.tmp Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Ryan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ryan\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe1174747503 Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\VundoFix Backups\kbdatt.dll.bad Infected: Trojan-Downloader.Win32.ConHook.ba skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000010-00000000-00000000-00001102-00000004-20011102}.CDF Object is locked skipped
D:\Photoshop CS2\Adobe(R) Photoshop(R) CS2\keygen.exe Infected: not-a-virus:AdWare.Win32.WinAD.bt skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\Backup of Optimus Prime\BACKUP\mirc614.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
H:\Backup of Optimus Prime\BACKUP\mirc614.exe mIRC: infected - 1 skipped
H:\Nero\Nero-7.7.5.1_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
H:\Nero\Nero-7.7.5.1_eng_trial.exe RAR: infected - 1 skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Hi
Delete these:
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe1174747503
D:\Photoshop CS2\Adobe(R) Photoshop(R) CS2\keygen.exe
Empty this folder:
C:\VundoFix Backups\
Empty Recycle Bin.
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
El_Beefcheesemo
2007-06-14, 03:11
Hey there! I deleted, scanned, and here are the results:
Logfile of HijackThis v1.99.1
Scan saved at 9:13:29 PM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\MySoftware\InterCom.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis1991.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] D:\Avid\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [OpwareSE2] "D:\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - D:\Avid\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 13, 2007 9:12:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/06/2007
Kaspersky Anti-Virus database records: 345938
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\
Scan Statistics:
Total number of scanned objects: 120946
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:48:44
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ryan\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ryan\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\~DF3559.tmp Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\~DF35AD.tmp Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ryan\ntuser.dat.LOG Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000010-00000000-00000000-00001102-00000004-20011102}.CDF Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\Backup of Optimus Prime\BACKUP\mirc614.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
H:\Backup of Optimus Prime\BACKUP\mirc614.exe mIRC: infected - 1 skipped
H:\Nero\Nero-7.7.5.1_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
H:\Nero\Nero-7.7.5.1_eng_trial.exe RAR: infected - 1 skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Hi
Logs look good :)
Still problems?
El_Beefcheesemo
2007-06-14, 23:16
Everything seems completely copacetic.
Many thanks for your help, it is most appreciated.
Cheers.
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
2) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Comodo (http://www.personalfirewall.comodo.com/)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 1 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Update Acrobat Reader to version 8.0.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.