PDA

View Full Version : KillSec still lives on - please can someone help me?



Fizzy
2006-04-27, 20:55
Hi, I posted before, the link is http://forums.spybot.info/showthread.php?t=4023I have managed to get rid of Teslaplus, Avenue A & Media Plex but KillSec is a die hard trojan that I just cannot fix. Please can someone please help me, I have tried everything! Thank you.

Here is a copy of my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 12:46:27 PM, on 4/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\System32\vxgame6.exe3584.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)
O21 - SSODL: ubtlbr - {847EF305-A06E-4C41-856B-A677631B0CDE} - ubtlbr.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Fizzy
2006-04-28, 02:31
Sorry to post again, it seems that as soon as I think I have gotten rid of the 4 trojans I had, they are back again when I have run spybot a couple of times - it cleans them up again but how come they are coming back? Any suggestions?

CalamityJane
2006-04-29, 20:06
Can we see a fresh Hijackthis log please? :)

I'll be glad to help you from here on out

Fizzy
2006-04-29, 21:02
Hi, thanks for you help. Please find attached my up-to-date HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:36 PM, on 4/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\System32\vxgame6.exe3584.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)
O21 - SSODL: ubtlbr - {847EF305-A06E-4C41-856B-A677631B0CDE} - ubtlbr.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

CalamityJane
2006-04-29, 21:24
Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.
.......................................
Open HijackThis and choose to do a *scan only*. When it finishes, place a checkmark next to the following and then press the *fix checked* button


O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\System32\vxgame6.exe3584.exe"

O20 - Winlogon Notify: directpt - directpt.dll (file missing)

O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)

O21 - SSODL: ubtlbr - {847EF305-A06E-4C41-856B-A677631B0CDE} - ubtlbr.dll (file missing)

Delete this file marked in bold:
C:\WINDOWS\System32\vxgame6.exe3584.exe

Reboot your computer.

Next -

Please download Rootkit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
(link is at the very bottom of the page)

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do any other tasks or surfing while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Then please also post a fresh HijackThis log.

Fizzy
2006-04-29, 22:53
Not sure that this is what you need, the pc was acting a little 'off' after the scan, also I could not find a file called C:\WINDOWS\System32\vxgame6.exe3584.exe

Here is the RootitReveal log

C:\WINDOWS\System32\vxgame6.exe3584.exe



Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:53:27 PM, on 4/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

CalamityJane
2006-04-29, 23:20
There should be more info from the Rootkit Revealer to go with that file, however, let's use this tool:

Post a report from this tool. Download Blacklight from F-Secure
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Doubleclick on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
click > scan then > next, next again then exit
there will be a new text file near blacklite.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet

Fizzy
2006-04-29, 23:48
Does this look right?


04/29/06 15:44:05 [Info]: BlackLight Engine 1.0.36 initialized
04/29/06 15:44:05 [Info]: OS: 5.1 build 2600 (Service Pack 1)
04/29/06 15:44:05 [Note]: 7019 4
04/29/06 15:44:05 [Note]: 7005 0
04/29/06 15:44:11 [Note]: 7006 0
04/29/06 15:44:11 [Note]: 7011 1812
04/29/06 15:44:11 [Note]: 7026 0
04/29/06 15:44:11 [Note]: 7026 0
04/29/06 15:44:17 [Note]: FSRAW library version 1.7.1015
04/29/06 15:45:25 [Note]: 7007 0

CalamityJane
2006-04-29, 23:52
Yes, that's good for Blacklight. But I don't see any files listed.

Was RootkitRevealer blank? The way your post was written it looked like it had listed the file:

Here is the RootitReveal log

C:\WINDOWS\System32\vxgame6.exe3584.exe :scratch:

Fizzy
2006-04-30, 00:13
Yes, that was the one file that it listed - I shall run it again just to make sure.

Fizzy
2006-04-30, 00:57
OK, this rootkit log is huge so it may take a couple of posts:

C:\Documents and Settings\Fiona\Cookies\fiona@advertising[1].txt 4/29/2006 4:21 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@barrons[1].txt 4/29/2006 4:21 PM 441 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@counter1.sextracker[1].txt 4/29/2006 4:32 PM 93 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@dell[1].txt 4/29/2006 4:26 PM 204 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@doubleclick[1].txt 4/29/2006 4:21 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@finance.yahoo[1].txt 4/29/2006 4:24 PM 77 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@free[1].txt 4/29/2006 4:28 PM 236 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@questionmarket[1].txt 4/29/2006 4:21 PM 221 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@revsci[2].txt 4/29/2006 4:20 PM 249 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@sexlist[1].txt 4/29/2006 4:34 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@sextracker[1].txt 4/29/2006 4:32 PM 113 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@www.xnxx[1].txt 4/29/2006 4:28 PM 65 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@www.xnxx[2].txt 4/29/2006 4:28 PM 383 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@yahoo[1].txt 4/29/2006 4:22 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\03[1].jpg 4/29/2006 4:29 PM 6.69 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\1007[1].jpg 4/29/2006 4:34 PM 100.74 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\10990[2].html 4/29/2006 4:22 PM 41.96 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\10[1].jpg 4/29/2006 4:29 PM 6.80 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\11[1].jpg 4/29/2006 4:29 PM 4.86 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\157[1].htm 4/29/2006 4:29 PM 6.62 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\16[1].jpg 4/29/2006 4:29 PM 6.24 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\16x16_smiley-wink[1].gif 4/29/2006 4:26 PM 413 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\170x40406[1].gif 4/29/2006 4:20 PM 11.29 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\3[2].gif 4/29/2006 4:33 PM 589 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\420mkt[2].html 4/29/2006 4:24 PM 40.02 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\45009381_39247.13473159.bigthumb[1].gif 4/29/2006 4:28 PM 1.92 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\45585055_90890.11843420.bigthumb[1].gif 4/29/2006 4:28 PM 3.20 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\7[1].gif 4/29/2006 4:33 PM 568 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\_;ord=1146345883622648[1] 4/29/2006 4:24 PM 5.11 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\A_bol_30dayIFP_79_39[1].gif 4/29/2006 4:21 PM 18.42 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\Alicia_Rhodes_003[1].jpg 4/29/2006 4:32 PM 2.63 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\Amy_Reid_001[1].jpg 4/29/2006 4:32 PM 3.65 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\an[1].jpg 4/29/2006 4:28 PM 2.24 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\assparade_01[1].gif 4/29/2006 4:34 PM 17.81 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\at_btn_svc_170x40[1].gif 4/29/2006 4:20 PM 6.56 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\b-tourfinal07202004115253[1].gif 4/29/2006 4:20 PM 5.18 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\B_barronsBlank[1].gif 4/29/2006 4:21 PM 178 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\back[1].gif 4/29/2006 4:31 PM 317 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\back[1].jpg 4/29/2006 4:29 PM 28.45 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\backtoxnxx[1].gif 4/29/2006 4:28 PM 1.93 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\barrons[1].css 4/29/2006 4:20 PM 16.71 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\barrons[2].css 4/29/2006 4:20 PM 16.71 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\BarronsEntryPopup[1].gif 4/29/2006 4:20 PM 37.59 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\BarronsExitPopup[1].gif 4/29/2006 4:21 PM 36.60 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bgImage4x11[1].gif 4/29/2006 4:20 PM 69 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bisex[1].jpg 4/29/2006 4:28 PM 4.56 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bolmarkpromo06[1].gif 4/29/2006 4:20 PM 5.58 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\boo[1].jpg 4/29/2006 4:28 PM 5.25 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bookmark[1].gif 4/29/2006 4:28 PM 3.10 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bookmarkthispage[1].gif 4/29/2006 4:28 PM 1.96 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\Breaking_News[1].gif 4/29/2006 4:20 PM 528 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\butpornstars04[1].gif 4/29/2006 4:32 PM 914 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\butsupermodels05[1].gif 4/29/2006 4:32 PM 1.02 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\button_find[1].gif 4/29/2006 4:25 PM 279 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\butwhatsnew[1].gif 4/29/2006 4:32 PM 1.52 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\CA0DQL9E.swf 4/29/2006 4:24 PM 44.14 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\CAOXI7S5.gif 4/29/2006 4:24 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\CAXSCR5H.swf 4/29/2006 4:20 PM 29.89 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\CAY7G1EJ.gif 4/29/2006 4:22 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\chu[1].jpg 4/29/2006 4:28 PM 4.44 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\context[1] 4/29/2006 4:21 PM 4.47 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\Daisy_Dukes_001[1].jpg 4/29/2006 4:32 PM 2.92 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dcf-title[1].gif 4/29/2006 4:26 PM 1.73 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\devil_06[1].jpg 4/29/2006 4:33 PM 826 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\devil_14[1].jpg 4/29/2006 4:33 PM 323 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\devil_29[1].jpg 4/29/2006 4:33 PM 498 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dm_client_barrons[1].js 4/29/2006 4:20 PM 10.16 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0093[1].jpg 4/29/2006 4:31 PM 5.84 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0118[1].jpg 4/29/2006 4:31 PM 6.90 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0122[1].jpg 4/29/2006 4:31 PM 7.03 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0145[1].jpg 4/29/2006 4:31 PM 5.11 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0148[1].jpg 4/29/2006 4:31 PM 132.51 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dvd2[1].gif 4/29/2006 4:33 PM 1.34 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\e[1].htm 4/29/2006 4:33 PM 7.21 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\environment-sunset[1].gif 4/29/2006 4:26 PM 1.36 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\expandable_nav_inst_off[1].gif 4/29/2006 4:25 PM 118 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\expandable_nav_small_off[1].gif 4/29/2006 4:25 PM 118 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\external[1].png 4/29/2006 4:21 PM 165 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\f2[1].gif 4/29/2006 4:28 PM 1.36 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\f3[1].gif 4/29/2006 4:28 PM 1.33 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\f9[1].gif 4/29/2006 4:28 PM 1.39 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\fr_index_left[1].js 4/29/2006 4:32 PM 8.32 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\fr_index_right[1].js 4/29/2006 4:32 PM 8.36 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\free-flag[1].gif 4/29/2006 4:24 PM 125 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\freeones[1].htm 4/29/2006 4:32 PM 48.49 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\front;famil=news;msrc=null;null;u=SatApr29172042EDT200601263925099;sz=120x600;ptile=1;ord=1610161016101610;[1] 4/29/2006 4:21 PM 4.67 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\gang[1].jpg 4/29/2006 4:28 PM 4.99 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\gnavb_200602071227[2].css 4/29/2006 4:24 PM 6.04 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\google[1] 4/29/2006 4:10 PM 4.03 KB Visible in Windows API, but not in MFT or directory inde

CalamityJane
2006-04-30, 01:32
Ok, important instruction here is not to do anything else with the computer while scanning with Rootkit Revealer. The huge report comes as a result of your surfing while scan runs. Just start the scan and don't do any other tasks until it is finished. :)

Fizzy
2006-04-30, 18:41
Hi Sorry about that horrid log, I told my husband not to use the computer and he has now confessed to using it :mad:

I have banned him from touching it today and am running another scan - will post when it is finished. Thanks.

CalamityJane
2006-04-30, 19:44
Ah, ok Fizzy...surfing while scanning would explain it LOL. Will wait for the next log :bigthumb:

Fizzy
2006-04-30, 20:08
New log and also HJT log;

C:\System Volume Information\catalog.wci\00010003.ci 4/30/2006 10:46 AM 212.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010003.dir 4/30/2006 10:46 AM 1.02 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.000 4/30/2006 10:05 AM 240 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.001 4/30/2006 10:05 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.002 4/30/2006 10:05 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.000 4/30/2006 10:46 AM 240 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.001 4/30/2006 10:46 AM 64.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.002 4/30/2006 10:46 AM 64.00 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 4/30/2006 10:39 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.

Fizzy
2006-04-30, 20:08
Logfile of HijackThis v1.99.1
Scan saved at 12:08:29 PM, on 4/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Fiona\Local Settings\Temp\wz6c1\RootkitRevealer.exe
C:\DOCUME~1\Fiona\LOCALS~1\Temp\FJQPUFWL.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: FJQPUFWL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Fiona\LOCALS~1\Temp\FJQPUFWL.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RQXCFD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Fiona\LOCALS~1\Temp\RQXCFD.exe

CalamityJane
2006-04-30, 20:21
Great, that file not listed on RootkitRevealer. It all looks ok.

Are you seeing any problems remaining on your end?

Fizzy
2006-04-30, 21:16
OK,

I have run Spybot again and this is what it has found:

KillSec - 3 registry key entries
Advertising.com - 1 cookie
SexList - 1 cookie
SexTracker - 1 cookie

I have no idea how they got there, I thought spybot would protect against it but I also have Antispyware but all it does is sometimes alert me to a change in a host file.

Spybot will go on and fix all the problems but KillSec, which consistently comes back on a SB report....................but then, eventually I will have other entries coming up, like all the ones today which are new - what the heck is going on? Is it going to be easier for me just to admit defeat and totally re-format my HD?

Thanks.

Fizzy
2006-04-30, 21:21
Also, here is my HJT Log, after I have cleaned using SB and I have also deleted all my cookies and internet files - I think it looks different.

Logfile of HijackThis v1.99.1
Scan saved at 1:19:04 PM, on 4/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RQXCFD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Fiona\LOCALS~1\Temp\RQXCFD.exe

CalamityJane
2006-04-30, 21:47
Your HijackThis log looks fine. That's because there is no active infection (that's all it looks for).

The 3 registry keys are not an active infection with no files to go with them.

And cookies are not a critical threat - they are also not an infection.

What error does Spybot give and what are the registry entries giving a problem?

This is really only down to some minor cleanup, not an active infection at this point. Now if really you want reformat at this point, I think it's over-reacting. :(

Fizzy
2006-04-30, 22:08
Ok, so you don't think that I have got anything to worry about anymore? I wonder if I could maybe post a copy of a HJT log sometime during the week (maybe Tuesdday) after we have been using the pc like usual and see if anything has appeared? I shall also run another SB scan and see what it picks up, I am just concerned about confidential information, like using my visa number online being open to to someone elses viewing.

I appreciate all your help, thank you very much.

Fi.

CalamityJane
2006-04-30, 22:25
Ok, so you don't think that I have got anything to worry about anymore? Correct! Some leftovers in the registry are harmless without the files they point to (so pointing nowhere actually) - they can't "do" anything. We can help you get rid of them as a matter of cleanup but there is no active infection running on your PC.


I wonder if I could maybe post a copy of a HJT log sometime during the week (maybe Tuesdday) after we have been using the pc like usual and see if anything has appeared? Sure :)


I shall also run another SB scan and see what it picks up Ok, write down all the info it finds on those keys.


I am just concerned about confidential information, like using my visa number online being open to to someone elses viewing. You're fine at this point. Do take care to watch your accounts incase anything was stolen during the infection, but that infection has now that has been cleared :)


I appreciate all your help, thank you very much. You're quite welcome, glad we could help :)

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start > Run, click on *My Computer*.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start > Run, click on *My Computer*.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

"So, how did I get infected in the first place?" (by Tony Klein)
http://forums.spybot.info/showthread.php?t=279

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Fizzy
2006-05-03, 21:03
Hi Calamity Jane,

As promised I am now updating you on the situation:

Ran SB and it found the usual KillSec but also Smitfraud-C and Tibs.vq - as usual it says that it has fixed the problem and so far the PC is acting fine. For your reference the message I get regarding KillSec is the following:

HKey_local_machine\system\ControlSet003\Control\InitRegKey
HKey_local_machine\system\ControlSet001\Control\InitRegKey
HKey_local_machine\system\CurrentControlSet\Control\InitRegKey

And I have done a HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:55:14 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146497230453
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RQXCFD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Fiona\LOCALS~1\Temp\RQXCFD.exe

CalamityJane
2006-05-03, 21:59
Please open Spybot in Advanced MODE>Tools>View Report> View previous report
Logs>Checks (the one with the date where you *fixed* these new appearances)

Can you copy that log and post it back here so I can see what it found?

Fizzy
2006-05-03, 22:18
Sure, here it is:


--- Report generated: 2006-05-03 09:42 ---

HotsearchBar: Temporary file (File, nothing done)
C:\Documents and Settings\Robert\Local Settings\Temp\nsw82.tmp

Smitfraud-C.: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-839522115-606747145-725345543-1003\WindowsSubVersion

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

KillSec: System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\InitRegKey

KillSec: System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\InitRegKey

KillSec: System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\InitRegKey

Tibs.vq: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-839522115-606747145-725345543-1003\ColorTable19

Tibs.vq: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-839522115-606747145-725345543-1003\ColorTable20


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-04-24 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-04-21 Includes\Cookies.sbi (*)
2006-04-21 Includes\Dialer.sbi (*)
2006-04-21 Includes\Hijackers.sbi (*)
2006-04-21 Includes\Keyloggers.sbi (*)
2006-04-21 Includes\Malware.sbi (*)
2006-04-21 Includes\PUPS.sbi (*)
2006-04-21 Includes\Revision.sbi (*)
2006-04-21 Includes\Security.sbi (*)
2006-04-21 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-04-21 Includes\Trojans.sbi (*)

CalamityJane
2006-05-04, 00:00
This user:

C:\Documents and Settings\Robert

Looks like this may be a new infection and not a recurrence of the old one.

Can you post a fresh HijackThis log?

Let's also do a scan with Ewido Antimalware and the SmitfraudFix again -
http://forums.spybot.info/showthread.php?t=4015
Post the logs from those as well please.

Fizzy
2006-05-04, 21:53
I did this HJT log while logged into the computer under my name, and not that of the other user 'Robert' - if that makes any difference?

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:37:18 AM, on 5/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146497230453
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RQXCFD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Fiona\LOCALS~1\Temp\RQXCFD.exe


Endiwo:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:47:38 PM, 5/4/2006
+ Report-Checksum: 91F2E29E

+ Scan result:

C:\Documents and Settings\Robert\Cookies\robert@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Robert\Cookies\robert@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Robert\Cookies\robert@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Robert\Cookies\robert@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Robert\Cookies\robert@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup


::Report End


I did not know what to run for the SmitFraudFix - there are many applications in the winzip file, can you clarify exactly which one I am meant to run?

Thanks again.

CalamityJane
2006-05-04, 22:15
The Smitfraud Fix instructions are on this page:
http://forums.spybot.info/showthread.php?t=4015

You'll need to have the other user log on and run through that page as well, it looks like the new infected file came in under the user "Robert", since it is in his TEMP folder. Does he have an Admin account or a limited user account?

The SmitfraudFix page removal instructions entail using SmitfraudFix, Ewido and spybot to scan. So do those steps under both users.

Fizzy
2006-05-05, 00:51
under the other user, Robert the following scan reports were done:

ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:42:38 PM, 5/4/2006
+ Report-Checksum: C19DF0AE

+ Scan result:

C:\Documents and Settings\Fiona\Cookies\fiona@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Fiona\Cookies\fiona@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\t.inx -> Trojan.Small : Cleaned with backup
C:\WINDOWS\1.bak.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\ieredir.vir.exe -> Trojan.VB.aks : Cleaned with backup
C:\WINDOWS\preredir.bak.exe -> Downloader.VB.zu : Cleaned with backup
C:\WINDOWS\system32\directprt.sys -> Backdoor.Haxdoor.io : Cleaned with backup
C:\WINDOWS\system32\ib14.dll -> Logger.VB.mz : Cleaned with backup
C:\WINDOWS\system32\kernels8.bak.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\notifysb.dll.bak -> Not-A-Virus.Hoax.Win32.Renos.cp : Cleaned with backup

::Report End


HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:50:47 PM, on 5/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robert\My Documents\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146497230453
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RQXCFD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Fiona\LOCALS~1\Temp\RQXCFD.exe

Fizzy
2006-05-05, 00:55
when I follow the instructions to run smitfraud, I get a message:

process.exe file missing !
unzip all the archive in a folder

.........press any key to continue


and then it ends - I have saved the zip file on desktop and it contains the process.exe file but for some reason it is not working. Am I doing something wrong?

Fizzy
2006-05-05, 01:06
.................I also cleared all cookies, etc under internet properties and then ran SB, and here is the report, before it fixed what it found:


--- Report generated: 2006-05-04 17:03 ---

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-04-24 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-05-02 Includes\Cookies.sbi (*)
2006-05-02 Includes\Dialer.sbi (*)
2006-05-02 Includes\Hijackers.sbi (*)
2006-05-02 Includes\Keyloggers.sbi (*)
2006-05-02 Includes\Malware.sbi (*)
2006-05-02 Includes\PUPS.sbi (*)
2006-05-02 Includes\Revision.sbi (*)
2006-05-02 Includes\Security.sbi (*)
2006-05-02 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-05-02 Includes\Trojans.sbi (*)

Fizzy
2006-05-05, 01:09
Sorry CJ,

Realised what an idiot I was being, and have thus managed to run the smitfraud on user 'Rob':

SmitFraudFix v2.39

Scan done at 17:08:13.26, Thu 05/04/2006
Run from C:\Documents and Settings\Robert\My Documents\Desktop\SmitFraud
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\oleext.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Robert\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Robert\MYDOCU~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

I shall now do the same under my user name

Fizzy
2006-05-05, 01:13
OK, same scan but under my account:

SmitFraudFix v2.39

Scan done at 17:12:37.56, Thu 05/04/2006
Run from C:\Documents and Settings\Fiona\Desktop\SmitFraud
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\oleext.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Fiona\Application Data

C:\Documents and Settings\Fiona\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Fiona\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

CalamityJane
2006-05-05, 01:27
Robert's account is the main culprit I think. It had a rootkit (HackerDefender) that Ewido found. But your account had Smitfraud as well - Do you have other users on that system?

If so, you need to run those tools under each user.

And then let me know if there are any problems being found after cleaning and which account or tool they are under.

Is Robert's account an Admin Account?

Fizzy
2006-05-05, 02:22
The two accounts are both set up as admin accounts. I did a S&D scan on my account earlier on and it is the first time that it hasn't come up with anything, so I am getting closer to nailing this.

So, all scanning is done, what do you suggest I do now?

CalamityJane
2006-05-05, 02:32
No problems on Robert's account?

If both accounts are coming up clean with all those scans...just monitor and let me know if anything comes up in the next few days. We can leave this thread open :)

Fizzy
2006-05-05, 02:42
Thanks, I shall be out of PC range for the weekend but shall check the status of things on Tuesday - keeping this thread open until then would be great.

Thanks for all the help up until now.

CalamityJane
2006-05-07, 01:29
Ok, Fizzy. We'll be here :)

LonnyRJones
2006-05-14, 15:42
Hows that PC ?

tashi
2006-05-19, 06:16
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.

Thank you CalamityJane.