Hello, First time here, longtime user of Spybot. A friend :sad:(well maybe not now) sent this via Messanger to download pictures. I scaned the file first with one care and it did not see a threat. after I opened the file and saw a blank folder I knew I had screwed up.:oops: A short time later One Care stoped this file and put in Quarentine, over and over. I then found your site here and got the SBFIX. Thank you, this is the log file. I will post the other one in a few min.





SDFix: Version 1.106

Run by JMH on Fri 09/21/2007 at 12:53 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\IMG-1709.zip - Deleted
C:\WINDOWS\IMG-2293.zip - Deleted
C:\WINDOWS\IMG-2388.zip - Deleted
C:\WINDOWS\IMG-2623.zip - Deleted
C:\WINDOWS\IMG-2716.zip - Deleted
C:\WINDOWS\IMG-7444.zip - Deleted
C:\WINDOWS\IMG-7490.zip - Deleted
C:\WINDOWS\IMG-8242.zip - Deleted
C:\WINDOWS\system\Explorer.EXE - Deleted
C:\WINDOWS\Temp\kernel.sys - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe:*:Disabled:pcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Disabled:pcAnywhere Remote Service"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\WINDOWS\\system\\explorer.exe"="C:\\WINDOWS\\system\\explorer.exe:*:Enabled:Windows Sharing"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\JMH\Local Settings\Application Data\Microsoft\Messenger\kermit12@bellsouth.net\Sharing Folders\bettyboot2000@aol.com\Thumbs.db
C:\Documents and Settings\JMH\Local Settings\Application Data\Microsoft\Messenger\kermit12@bellsouth.net\Sharing Folders\dtoby555@aol.com\Thumbs.db
C:\Documents and Settings\JMH\Local Settings\Application Data\Microsoft\Messenger\kermit12@bellsouth.net\Sharing Folders\freakyteen2001@hotmail.com\Thumbs.db
C:\Documents and Settings\JMH\NetHood\www.thekaratevoice.com\Desktop.ini
C:\Documents and Settings\JMH\NetHood\www.trpost.com\Desktop.ini
C:\Documents and Settings\JMH\NetHood\www.ufxtrading.com\Desktop.ini
C:\WINDOWS\WCBurn\MainBck\C$\Documents and Settings\JMH\Local Settings\Application Data\Microsoft\Messenger\kermit12@bellsouth.net\Sharing Folders\bettyboot2000@aol.com\Thumbs$@.db
C:\WINDOWS\WCBurn\MainBck\C$\Documents and Settings\JMH\Local Settings\Application Data\Microsoft\Messenger\kermit12@bellsouth.net\Sharing Folders\dtoby555@aol.com\Thumbs$@.db
C:\WINDOWS\WCBurn\MainBck\C$\Documents and Settings\JMH\Local Settings\Application Data\Microsoft\Messenger\kermit12@bellsouth.net\Sharing Folders\freakyteen2001@hotmail.com\Thumbs$@.db
C:\Corel\Graphics8\Programs\CNSFlt80.dll
C:\Corel\Graphics8\Programs\convintl.dll
C:\Corel\Graphics8\Programs\Mos1680.dll
C:\Corel\Graphics8\Programs\Mos3280.dll
C:\WINDOWS\WCBurn\MainBck\C$\Corel\Graphics8\Programs\CNSFlt80$@.dll
C:\WINDOWS\WCBurn\MainBck\C$\Corel\Graphics8\Programs\convintl$@.dll
C:\WINDOWS\WCBurn\MainBck\C$\Corel\Graphics8\Programs\Mos1680$@.dll
C:\WINDOWS\WCBurn\MainBck\C$\Corel\Graphics8\Programs\Mos3280.dll
C:\Documents and Settings\JMH\Application Data\U3\temp\Launchpad Removal.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\Administrator\NTUSER.DAT.COPY.TMP.LOG
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\JMH\Application Data\Microsoft\Office\Shortcut Bar\Off3.tmp
C:\Documents and Settings\JMH\Application Data\Microsoft\Word\~WRL3933.tmp
C:\WINDOWS\Sdold\Download\S-1-5-18\fae07e039033422a6b96e2afd2b4e600\BIT27.tmp
C:\WINDOWS\SoftwareDistribution\Download\cc642f40169f98e3642fab98abc47d75\BIT6.tmp
C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT5.tmp
C:\WINDOWS\WCBurn\MainBck\C$\Documents and Settings\JMH\Application Data\Microsoft\Office\Shortcut Bar\Off3.tmp
C:\WINDOWS\WCBurn\MainBck\C$\Documents and Settings\JMH\Application Data\Microsoft\Word\~WRL3933$@.tmp

Finished!

Hi kermit12

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.