Please review my logs Rapptor Ewido HJT [Archive]

View Full Version : Please review my logs Rapptor Ewido HJT

kpjjtran

2006-04-27, 23:33

Hi,
I followed Tashi's instruction to download and scan my PC.
Please review and let me whether my PC is clean or not. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 11:36:15 AM, on 4/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Belarc\BELMON~1\BANTMonitorSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Java\j2re1.4.2_11\bin\javaw.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\cygwin\bin\exim-4.60-1.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\cygwin\usr\sbin\sshd.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: (no name) - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Belarc\Advisor\System\NPBelv32.dll,RunDll32_BelNotify
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll
O9 - Extra 'Tools' menuitem: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143628428906
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nih.gov
O17 - HKLM\Software\..\Telephony: DomainName = CIT.NIH.GOV
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nih.gov
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = net.nih.gov,cit.nih.gov,nih.gov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = net.nih.gov,cit.nih.gov,nih.gov
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\Belarc\BELMON~1\BANTMonitorSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Exim (exim) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

SmitFraudFix v2.34

Scan done at 11:23:18.17, Thu 04/27/2006
Run from C:\downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\Program Files\Security Toolbar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:50:06 AM, 4/27/2006
+ Report-Checksum: 64C66BC6

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{736b5468-bdad-41be-92d0-22ae2ddf7bcb} -> Adware.Generic : Cleaned with backup
:mozilla.7:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.8:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.9:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.15:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.27:C:\Documents and Settings\ktran\Application Data\Mozilla\Profiles\default\b0c5n6ty.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.9:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Firefox\Profiles\w7jbmgvl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.10:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Firefox\Profiles\w7jbmgvl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.11:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Firefox\Profiles\w7jbmgvl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.12:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Firefox\Profiles\w7jbmgvl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.13:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Firefox\Profiles\w7jbmgvl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.14:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Firefox\Profiles\w7jbmgvl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.15:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Firefox\Profiles\w7jbmgvl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.17:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Firefox\Profiles\w7jbmgvl.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.18:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Firefox\Profiles\w7jbmgvl.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.9:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.14:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.17:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\ktran.NIH\Application Data\Mozilla\Profiles\default\f0pva93q.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.26:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.28:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.44:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.48:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.49:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.50:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\ktran.NIH\Application Data\Netscape\NSAE\Profiles\nqtp8uv5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Cookies\ktran@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Cookies\ktran@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Cookies\ktran@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Cookies\ktran@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Cookies\ktran@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Cookies\ktran@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Cookies\ktran@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Cookies\ktran@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Local Settings\Temp\Cookies\ktran@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Local Settings\Temp\Cookies\ktran@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\ktran.NIH\Local Settings\Temp\Cookies\ktran@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\ld11AC.tmp -> Downloader.Zlob.lu : Cleaned with backup
C:\WINDOWS\system32\xenadot.dll.vir -> Trojan.Fakealert : Cleaned with backup

::Report End

kpjjtran

2006-04-29, 23:11

Hi,

Please someone review my logs.
My IE browser always says "auto:blank" after I change it to another URL.
I believe my PC is infected.
Thanks in advance.

LonnyRJones

2006-05-03, 01:22

Hi
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

kpjjtran

2006-05-05, 04:53

Thank you for your help. Here is the result of Silent Runners.

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"dcomcfg.exe" = "dcomcfg.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"SigmaTel StacMon" = "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" ["SigmaTel Inc."]
"ACUMon" = ""C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a" ["Cisco Systems, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"BelNotify" = "C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Belarc\Advisor\System\NPBelv32.dll,RunDll32_BelNotify" [MS]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" [MS]
"HP Software Update" = ""c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"Network Associates Error Reporting Service" = ""C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"" ["Network Associates, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" [file not found]
"{DB8DC413-C0AA-11D0-9545-080009B1C2F3}" = "Hummingbird Neighborhood"
-> {HKLM...CLSID} = "Hummingbird Neighborhood"
\InProcServer32\(Default) = "C:\Program Files\Hummingbird\Connectivity\7.10\HostExplorer\Ftp\heshell.dll" ["Hummingbird Ltd."]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{CCA60260-A2C9-11D2-BA62-0020188191B2}" = "Registrar Registry Manager SHell Extension"
-> {HKLM...CLSID} = "Registrar Registry Manager SHell Extension"
\InProcServer32\(Default) = "rrShellX.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "CSGina.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "ktran" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Cisco Systems VPN Client" -> shortcut to: "C:\Program Files\Cisco Systems\VPN Client\vpngui.exe "-user_logon"" ["Cisco Systems, Inc."]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"HP Image Zone Fast Start" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing LP"]

Enabled Scheduled Tasks:
------------------------

"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" [file not found]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{E69657FF-19AC-4849-BF35-91243EEF1687}\(Default) = "&IEWatch"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\IEWatch\IEWatch.dll" ["IEWatch Software LLC"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{78E5BB46-9A20-402F-BA66-B5634D177D77}\
"ButtonText" = "IEWatch"
"MenuText" = "IEWatch"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
BelMonitor Service, BelMonitorService, "C:\PROGRA~1\Belarc\BELMON~1\BANTMonitorSvc.exe" ["Belarc, Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
CYGWIN sshd, sshd, "C:\cygwin\bin\cygrunsrv.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
Exim, exim, "C:\cygwin\bin\cygrunsrv.exe" [null data]
Hummingbird Inetd, HCLInetd, "C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe" ["Hummingbird Ltd."]
Hummingbird Jconfig Daemon, Jconfigd, "C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe" ["Hummingbird Ltd."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\Mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."]
WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe" [null data]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HCL LPR Monitor\Driver = "C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Accessories\hcllpr.dll" ["Hummingbird Ltd."]
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 94 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 127 seconds)

LonnyRJones

2006-05-05, 06:14

Im not seeing anything other than this leftover
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"dcomcfg.exe" = "dcomcfg.exe" [file not found]
If your familur with regedit delete that paticular dcomcfg.exe value

Are there any contents to that auto:aboutblank page , any other symtoms ?

Post a report from a Kaspersky online scan
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

Also re-download (its updated frequently) smithfraudfix and run option 1, post the log if any files are found.

kpjjtran

2006-05-07, 01:04

Thank you for checking my log.
Yes, my PC is infected about:blank. I tried many different ways to fix it but unseccessfully.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, May 06, 2006 6:00:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 6/05/2006
Kaspersky Anti-Virus database records: 191998
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 66299
Number of viruses found: 9
Number of infected objects: 22
Number of suspicious objects: 0
Duration of the scan process: 01:34:57

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\ktran.NIH\.housecall\Quarantine\ldE580.tmp.bac_a03392 Infected: Trojan-Downloader.Win32.Zlob.lu skipped
C:\Documents and Settings\ktran.NIH\.housecall\Quarantine\ldE580.tmp.bac_a03632 Infected: Trojan-Downloader.Win32.Zlob.lu skipped
C:\Program Files\Deerfield.com\DNS2Go\vncsetup.exe/data0001 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\Deerfield.com\DNS2Go\vncsetup.exe Inno: infected - 1 skipped
C:\Program Files\Netscape\Netscape Browser\NSUninst.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\Netscape\Netscape Browser\NSUninst.exe NSIS: infected - 1 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP115\A0026149.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP115\A0026149.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP119\A0029648.exe/WISE0019.BIN/data0001 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP119\A0029648.exe/WISE0019.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP119\A0029648.exe WiseSFX: infected - 2 skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP120\A0031913.exe Infected: Trojan-Downloader.Win32.Zlob.mj skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP120\A0032031.exe Infected: Trojan-Downloader.Win32.Zlob.mk skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP120\A0032034.exe Infected: Trojan-Downloader.Win32.Zlob.mj skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP120\A0032035.dll Infected: not-a-virus:AdWare.Win32.Agent.u skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP120\A0032048.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP120\A0032048.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP120\A0032048.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP120\A0032056.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP120\A0032062.exe Infected: Trojan-Downloader.Win32.Zlob.lv skipped
C:\System Volume Information\_restore{2A1889AF-7858-479A-B0BC-4BF507AB5A72}\RP122\A0033193.exe Infected: Trojan-Downloader.Win32.Zlob.mo skipped

Scan process completed.

LonnyRJones

2006-05-07, 02:57

Are there any contents to that auto:aboutblank page , any other symtoms ?
Also re-download (its updated frequently) smithfraudfix and run option 1, post the log if any files are found.

We need more information

kpjjtran

2006-05-08, 06:16

Thank you for helping.
Yes, about:blank is still in IE. I unsuccessfully fixed it.

SmitFraudFix v2.40

Scan done at 23:13:33.79, Sun 05/07/2006
Run from C:\downloads\smitfraudfix2\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\stdole3.tlb FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ktran\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ktran\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

LonnyRJones

2006-05-08, 10:43

Well not much there but go ahead and run option two again

Post another new hijackthis, although im not seeing (by your limited description) what is cousing an aboutblank page.

tashi

2006-05-13, 17:00

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.