View Full Version : Smitfraud and Downloader
iggalileo
2008-02-07, 04:36
Been trying to clean up my computer from Smitfraud & Downloader. I've used Ad-Aware and S&D to clean it up, but I must be missing something because it returns!
I've run Kaspersky, S&D and HJT. Running S&D in safe mode removed Smitfraud and Downloader.
Below is HJT output. Then I'll post the Kaspersky output.
Thanks in advance for all your help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:42 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\SYMANT~1\vptray.exe
F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
F:\ImageMate CompactFlash USB\SandIcon.Exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\Program Files\Common Files\AOL\1131118794\ee\AOLSoftware.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\America Online 9.0\aoltray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\SYMANT~1\DefWatch.exe
F:\PROGRA~1\SYMANT~1\Rtvscan.exe
F:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
f:\program files\common files\aol\1131118794\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
F:\WINDOWS\System32\svchost.exe
f:\program files\common files\aol\1131118794\ee\aolsoftware.exe
F:\WINDOWS\wanmpsvc.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\WINDOWS\system32\HPZipm12.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SXG Advisor - {C04C309C-7EC6-4C7A-9BDF-FB28F79C6DC3} - F:\WINDOWS\dntpkwofwt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O3 - Toolbar: ekxdvft - {9CBC96F1-F837-430D-8D6E-E19ED124D2D2} - F:\WINDOWS\ekxdvft.dll (file missing)
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AOLDialer] F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SandIcon] F:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "F:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HostManager] F:\Program Files\Common Files\AOL\1131118794\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Yahoo! Widgets.lnk = F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = F:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://F:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://24.227.75.130:81/XNC600NetCam.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099176926252
O21 - SSODL: bgrlsmn - {B6D88555-A62F-4FF8-99F9-C28661E3218F} - F:\WINDOWS\bgrlsmn.dll (file missing)
O21 - SSODL: adsoowf - {9D17948E-888A-4CC7-A8F1-CF73FB037190} - F:\WINDOWS\adsoowf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - F:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - F:\WINDOWS\wanmpsvc.exe
--
End of file - 9850 bytes
iggalileo
2008-02-07, 04:39
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 06, 2008 5:20:41 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/02/2008
Kaspersky Anti-Virus database records: 552144
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 135747
Number of viruses found: 23
Number of infected objects: 40
Number of suspicious objects: 0
Duration of the scan process: 04:50:16
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\AlxTB2.dll Infected: not-a-virus:AdWare.Win32.AlexaBar.a skipped
C:\WINDOWS\SYSTEM32\AlxRes.dll.bak Infected: not-a-virus:AdWare.Win32.AlexaBar.a skipped
C:\Program Files\Hotbar\bin\HbInstIE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.a skipped
C:\Program Files\Hotbar\bin\4.2.11.0\HbInstIE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.a skipped
C:\Program Files\Hotbar\bin\4.2.14.0\Hbinst.exe Infected: not-a-virus:AdWare.Win32.Hotbar.z skipped
C:\Program Files\Hotbar\bin\4.2.14.0\HbInstIE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.z skipped
C:\Program Files\Hotbar\bin\4.2.14.0\HbCoreSrv.dll Infected: not-a-virus:AdWare.Win32.HotBar.a skipped
C:\Program Files\Hotbar\bin\4.2.14.0\HbHostIE.dll Infected: not-a-virus:AdWare.Win32.HotBar.a skipped
C:\Program Files\Hotbar\bin\4.2.14.0\HbSrv.exe Infected: not-a-virus:AdWare.Win32.HotBar.v skipped
C:\Program Files\Hotbar\bin\4.3.1.0\HbInstIE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.z skipped
C:\Program Files\Hotbar\bin\4.3.1.0\hbcoresrv.dll Infected: not-a-virus:AdWare.Win32.HotBar.a skipped
C:\Program Files\Hotbar\bin\4.3.1.0\HbToolbar.dll Infected: not-a-virus:AdWare.Win32.HotBar.ak skipped
C:\Program Files\Hotbar\bin\4.3.1.0\hbhostie.dll Infected: not-a-virus:AdWare.Win32.HotBar.a skipped
C:\Program Files\Hotbar\bin\4.3.1.0\hbsrv.exe Infected: not-a-virus:AdWare.Win32.HotBar.v skipped
C:\Program Files\Hotbar\bin\4.3.5.0\HbInstIE.dll Infected: not-a-virus:AdWare.Win32.HotBar.ce skipped
C:\Program Files\Hotbar\bin\4.3.6.0\HbInstIE.dll Infected: not-a-virus:AdWare.Win32.HotBar.ce skipped
C:\Program Files\Hotbar\bin\4.4.2.0\Hbsrv.exe Infected: not-a-virus:AdWare.Win32.Hotbar.ay skipped
C:\Program Files\Hotbar\bin\4.4.2.0\HbCoreSrv.dll Infected: not-a-virus:AdWare.Win32.Hotbar.m skipped
C:\Program Files\Hotbar\bin\4.4.2.0\HbHostIE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.ay skipped
C:\Program Files\Hotbar\bin\4.4.6.0\HbInstIE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.e skipped
C:\Program Files\Hotbar\bin\4.4.6.0\HbSrv.exe Infected: not-a-virus:AdWare.Win32.Hotbar.ay skipped
C:\Program Files\Hotbar\bin\4.4.6.0\HbCoreSrv.dll Infected: not-a-virus:AdWare.Win32.Hotbar.ak skipped
C:\Program Files\Hotbar\bin\4.4.6.0\HbHostIE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.ay skipped
C:\Program Files\Hotbar\bin\4.4.6.0\HbHostOL.dll Infected: not-a-virus:AdWare.Win32.Hotbar.j skipped
C:\Program Files\Hotbar\bin\4.4.6.0\HbHostOE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.j skipped
C:\Program Files\Hotbar\bin\4.5.1.0\HbInstIE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.p skipped
C:\Program Files\Hotbar\bin\4.5.1.0\HbHostOL.dll Infected: not-a-virus:AdWare.Win32.Hotbar.ao skipped
C:\Program Files\Hotbar\bin\4.5.1.0\HbHostOE.dll Infected: not-a-virus:AdWare.Win32.Hotbar.j skipped
C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\I1BC1Z9M\track.incglobal[1] Infected: Trojan.VBS.Seeker.a skipped
C:\System Volume Information\_restore{EDC70E94-3BF9-428E-BE8F-91E7C13B3AE6}\RP986\A0049523.exe Infected: not-a-virus:Porn-Dialer.Win32.BillPrayer.c skipped
C:\System Volume Information\_restore{EDC70E94-3BF9-428E-BE8F-91E7C13B3AE6}\RP986\A0049524.dll Infected: not-a-virus:AdWare.Win32.AlexaBar.a skipped
F:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
F:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
F:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\986c1004210f57ec84769247ebc4f54c_e56e9f27-5bd7-4e11-9ff2-ffafb0c48064 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca2e51c99ba8eff3be343965e94d0c75_e56e9f27-5bd7-4e11-9ff2-ffafb0c48064 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d3a734485d33aa572659d9d016690aac_e56e9f27-5bd7-4e11-9ff2-ffafb0c48064 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d578b8376f441328956de31c6297c7cb_e56e9f27-5bd7-4e11-9ff2-ffafb0c48064 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04400000.VBN/setup.exe Infected: Trojan-Downloader.Win32.Agent.hst skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04400000.VBN CAB: infected - 1 skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04400000.VBN CryptZ: infected - 1 skipped
F:\Documents and Settings\Glenn Janik\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3a70ca11.ini.inuse Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\Yahoo\Widget Engine\Widget Data\Yahoo! Finance\finance data.db Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\Yahoo\Widget Engine\Widget Data\Yahoo! Weather\location data.db Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Application Data\Yahoo\Widget Engine\Widgets DB\widgets.db Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\History\History.IE5\MSHist012008020620080207\index.dat Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Temp\BIT1410.tmp Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Temp\hpodvd09.log Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Temp\~DF18F8.tmp Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
F:\Documents and Settings\Glenn Janik\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Glenn Janik\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Glenn Janik\NTUSER.DAT.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{EDC70E94-3BF9-428E-BE8F-91E7C13B3AE6}\RP986\A0049525.dll Infected: not-a-virus:AdWare.Win32.Vapsup.ami skipped
F:\System Volume Information\_restore{EDC70E94-3BF9-428E-BE8F-91E7C13B3AE6}\RP986\A0049526.dll Infected: not-a-virus:AdWare.Win32.Vapsup.amg skipped
F:\System Volume Information\_restore{EDC70E94-3BF9-428E-BE8F-91E7C13B3AE6}\RP989\change.log Object is locked skipped
F:\WINDOWS\adsoowf.dll Infected: not-a-virus:AdWare.Win32.Vapsup.amh skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\dntpkwofwt.dll Infected: not-a-virus:AdWare.Win32.Vapsup.amf skipped
F:\WINDOWS\ffvrdgt.exe Infected: not-a-virus:AdWare.Win32.Vapsup.ame skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\Internet.evt Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\LogFiles\HTTPERR\httperr3.log Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2008-02-07, 15:03
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
See this information?
http://forums.spybot.info/showthread.php?t=16781&page=2
Due to lack of a response to helper this topic has been archived
you have a bunch of junk, I need to investivate a little first.
1) To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post the C:\rapport.txt and the uninstall list.
Thanks
iggalileo
2008-02-07, 15:48
Greetings -
First of all, my apologies regarding the archived topic. I didn't realize there'd been an update, but it was my responsibility to check that.
Please note that this is a different system than the system whose topic was archived. I'm assisting my uncle to clean up a bunch of gunk on his computer.
Here is the snipped output from Uninstall Manager. Following that is the rapport.txt output.
Thanks -
John
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop Elements 2.0
Adobe Reader 8.1.1
Adobe® Photoshop® Album Starter Edition 3.2
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss REBEL 300D WIA Driver
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities File Viewer Utility 1.3
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Easy Chef's Million Recipes
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
hp officejet g series
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HP Update
ImageMate CompactFlash USB (SDDR-31) Ver. 5.05
iTunes
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Picture It! Photo Premium 9
Microsoft Streets and Trips 2004
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
OCR Software by I.R.I.S 7.0
Pure Networks Port Magic
QuickTime
RealPlayer
Shockwave
Spybot - Search & Destroy
Symantec AntiVirus Client
URGE
Viewpoint Media Player
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 2
Yahoo! Install Manager
Yahoo! Widgets
Rapport output:
SmitFraudFix v2.281
Scan done at 8:37:12.77, Thu 02/07/2008
Run from F:\Documents and Settings\Glenn Janik\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\SYMANT~1\vptray.exe
F:\ImageMate CompactFlash USB\SandIcon.Exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\Program Files\Common Files\AOL\1131118794\ee\AOLSoftware.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\America Online 9.0\aoltray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\SYMANT~1\DefWatch.exe
F:\PROGRA~1\SYMANT~1\Rtvscan.exe
F:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
f:\program files\common files\aol\1131118794\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
F:\WINDOWS\System32\svchost.exe
f:\program files\common files\aol\1131118794\ee\aolsoftware.exe
F:\WINDOWS\wanmpsvc.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\HPZinw12.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\WINDOWS\system32\notepad.exe
F:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» F:\
»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS
F:\WINDOWS\adsoowf.dll FOUND !
F:\WINDOWS\dntpkwo???.dll FOUND !
F:\WINDOWS\ffvrdgt.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» F:\Documents and Settings\Glenn Janik
»»»»»»»»»»»»»»»»»»»»»»»» F:\Documents and Settings\Glenn Janik\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» F:\DOCUME~1\GLENNJ~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» F:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix.exe by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: NETGEAR FA311 Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F12971D-9064-4559-B76F-A3517814A8CD}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7F12971D-9064-4559-B76F-A3517814A8CD}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7F12971D-9064-4559-B76F-A3517814A8CD}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2008-02-07, 15:59
Thanks for returning your information and the feedback. I was looking for this item:
C:\Program Files\Hotbar\ in the uninstall list, I don't see it so we will have to kill it manually a bit later.
Smitfraudfix and located the infection and it has also found this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
As this is fixed, the next report often has a very large hosts file. If that is the case, please edit it out before posting the report, items starting with: 127.0.0.1.
http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the C:\rapport.txt and a new HJT log.
Thanks
iggalileo
2008-02-07, 16:36
Thank you for the understanding.
I went into safe mode and ran SmitfraudFix as recommended. When I ran it, windows popped up a message saying that VACFix had encoutered a problem and had to close. This happened when I ran the scan only (option 1) and when I hit option 2 this last time.
I also did follow the steps for restoring the trusted zone. I also am editting out the large number of 127.0.0.1 entries.
Here's the rapport info...
SmitFraudFix v2.281
Scan done at 9:10:04.70, Thu 02/07/2008
Run from F:\Documents and Settings\Glenn Janik\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
F:\WINDOWS\adsoowf.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{9D17948E-888A-4CC7-A8F1-CF73FB037190}]
Deleting [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9D17948E-888A-4CC7-A8F1-CF73FB037190}]
F:\WINDOWS\dntpkwo???.dll Deleted
F:\WINDOWS\ffvrdgt.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix.exe by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F12971D-9064-4559-B76F-A3517814A8CD}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7F12971D-9064-4559-B76F-A3517814A8CD}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7F12971D-9064-4559-B76F-A3517814A8CD}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Here's HJT (run after rebooting - NOT IN SAFE MODE)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:05 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\SYMANT~1\vptray.exe
F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
F:\ImageMate CompactFlash USB\SandIcon.Exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\Program Files\Common Files\AOL\1131118794\ee\AOLSoftware.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\America Online 9.0\aoltray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
f:\program files\common files\aol\1131118794\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
f:\program files\common files\aol\1131118794\ee\aolsoftware.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\SYMANT~1\DefWatch.exe
F:\PROGRA~1\SYMANT~1\Rtvscan.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\wanmpsvc.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SXG Advisor - {C04C309C-7EC6-4C7A-9BDF-FB28F79C6DC3} - F:\WINDOWS\dntpkwofwt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O3 - Toolbar: ekxdvft - {9CBC96F1-F837-430D-8D6E-E19ED124D2D2} - F:\WINDOWS\ekxdvft.dll (file missing)
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AOLDialer] F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SandIcon] F:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "F:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HostManager] F:\Program Files\Common Files\AOL\1131118794\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Yahoo! Widgets.lnk = F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = F:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://F:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://24.227.75.130:81/XNC600NetCam.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099176926252
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - F:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - F:\WINDOWS\wanmpsvc.exe
--
End of file - 9211 bytes
pskelley
2008-02-07, 16:59
Thanks for returning your information and the feedback. I am not quite sure what the message was about, that is something recented added to the fix I believe. The fix seems to have worked, let's do some cleaning and see how the computer runs.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SXG Advisor - {C04C309C-7EC6-4C7A-9BDF-FB28F79C6DC3} - F:\WINDOWS\dntpkwofwt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: ekxdvft - {9CBC96F1-F837-430D-8D6E-E19ED124D2D2} - F:\WINDOWS\ekxdvft.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\SYSTEM32\AlxTB2.dll <<< file
C:\WINDOWS\SYSTEM32\AlxRes.dll.bak <<< file
C:\Program Files\Hotbar\ <<< folder
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\ <<< contents of this folder
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\ <<< contents of this folder
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post a new HJT log, tell me how the computer runs.
Now scan with Kaspersky, only post the scan if you have questions and use these settings.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Thanks
iggalileo
2008-02-07, 17:49
I completed the steps you requested. The system seems fine for now but it sometimes takes a couple hours to restart with popups and such. I will start the Kaspersky run after uploading this and that took about 4 hours last time (during which time about 10 IE windows popped up!) so that should be pretty good test.
I'll let you know when that's complete.
Here's the HJT.
Thanks again for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:48 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\SYMANT~1\vptray.exe
F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
F:\ImageMate CompactFlash USB\SandIcon.Exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\Program Files\Common Files\AOL\1131118794\ee\AOLSoftware.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\America Online 9.0\aoltray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
f:\program files\common files\aol\1131118794\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
f:\program files\common files\aol\1131118794\ee\aolsoftware.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\SYMANT~1\DefWatch.exe
F:\PROGRA~1\SYMANT~1\Rtvscan.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
F:\WINDOWS\wanmpsvc.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
F:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AOLDialer] F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SandIcon] F:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "F:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HostManager] F:\Program Files\Common Files\AOL\1131118794\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Yahoo! Widgets.lnk = F:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = F:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://F:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://24.227.75.130:81/XNC600NetCam.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099176926252
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - F:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - F:\WINDOWS\wanmpsvc.exe
--
End of file - 8701 bytes
iggalileo
2008-02-07, 22:24
Finished Kaspersky Scan.
I'll copy just the line of the one virus found.
Scan Statistics:
Total number of scanned objects: 131205
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 04:09:45
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\I1BC1Z9M\track.incglobal[1] Infected: Trojan.VBS.Seeker.a skipped
One note: The C:\ is their old Windows 98 drive. F:\ is their current boot environment with WindowsXP. I would expect I can delete the file with the virus since we're not really using the C:\.
There were no remaining popups during the virus scan which is a really good sign.
Let me know if there are other things you'd like me to do. Thanks for all your help.
pskelley
2008-02-07, 22:48
Kaspersky Scan <<< posted 16:24 2/7/2008
Delete the contents of that TIF folder in red
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\I1BC1Z9M\track.incglobal[1] Infected: Trojan.VBS.Seeker.a skipped
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
iggalileo
2008-02-07, 23:00
I deleted the temporary internet files under C:\. I will also review the websites you recommended. Thanks.
I did have explorer.exe die on me (but it restarted fine) once in between our last messages, but things appear to be ok so far. I'm going to make sure Windows is updated and then revert a few of the settings so my uncle doesn't get in trouble.
Thanks for all your help.
John
iggalileo
2008-02-09, 03:17
Ran through the night without an issue. Thanks again for all your help. Let me know if there's anything else you'd like me to upload.
Regards -
John