View Full Version : Brave Sentry troubles
nameless_one
2006-08-06, 09:09
Hi.
Have the Spyware infestation - need to get rid of it (obviously).
I'm not very good with this stuff so please try to explain everything as simply as possible.
I'm aware that you don't ever click on the fake 'you've got spyware' windows that pop-up when you're browsing, but when I started-up the computer & saw the Brave Sentry 'desktop ad', I fell for the 'Windows warning' (little yellow box that pops up from the taskbar) telling me to 'click here'. Then it installed the Brave Sentry program on the system.
** (I'm not sure whether this makes any difference, that's all)
As of right now I've gotten rid of the stupid background (a friend reccommended that I use 'Ad-Aware SE Personal'), but that was before I found this site, so I haven't done any of the other things this site suggests, and wasn't sure what to do since I've already used this first.
* And using Ad-Aware has gotten rig of the false desktop, but not the Brave Sentry detection program itself, or the 3 or 4 different kinds of pop-ups it seems to cause.
------------------------
I've downloaded 'Hijack-This' as your site reccommends and run it only to get the log, nothing else.
The log follows:
Logfile of HijackThis v1.99.1
Scan saved at 2:04:59 PM, on 6/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Winamp\Winampa.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Google\Google Talk\googletalk.exe
C:\Windows\xpupdate.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Hijackthis\HijackThis.exe
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {80BF288A-CD76-B0CB-7719-E088AB83C423} - E:\WINDOWS\vkikq1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ati control panel] atiphexx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nyrq1.exe] E:\WINDOWS\TEMP\nyrq1.exe
O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [googletalk] "E:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
------------------------------------------------------------------------
Any help you can give will be greatly appreciated, and once again, I'm not very good with this stuff so please try to explain everything as simply as possible.
Thanks,
Nameless One
pskelley
2006-08-07, 01:04
G'Day and welcome to the forum. Before we start, your system security has been severely compromised. I need to make you aware of what has occured so you can take steps to protect yourself.
Here is what you are up against: http://www.sophos.com/security/analyses/w32rbotor.html
http://www.sophos.com/virusinfo/analyses/trojbravea.html
Review all information under all tabs. The rest of the junk does not identify itself.
__________________________________________________________
The way you were infected smacks of Smitfraud, but I see no signs of it. I would still like a look to be sure.
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
That report will tell us if Smitfraud is present.
___________________________________________________________
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Start > Control Panel > Add Remove programs and uninstall Brave Sentry if there. Uninstall any other program you know do not belong there. If you are unsure, let me know and I will look.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {80BF288A-CD76-B0CB-7719-E088AB83C423} - E:\WINDOWS\vkikq1.dll (file missing)
O4 - HKLM\..\Run: [ati control panel] atiphexx.exe
O4 - HKLM\..\Run: [nyrq1.exe] E:\WINDOWS\TEMP\nyrq1.exe
O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: C:\Program Files\BraveSentry\BraveSentry.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
(some files may be gone, but search to be sure, do not miss any)
atiphexx.exe <<< delete this file (may be in the C\Windows\System32\ folder?)
E:\WINDOWS\TEMP\<<< delete the complete contents of that TEMP folder ([B]not the folder)
C:\Windows\xpupdate.exe <<< delete this file
C:\Program Files\BraveSentry\ <<< delete this folder
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log along with any comments you think will help.
Cheers...pskelley
Safer Networking Forums
Your Java program is out of date, see this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2
E:\Program Files\Java\jre1.5.0_01\ <<< out of date
nameless_one
2006-08-09, 03:47
Hi.
First of all, thanks for responding, much appreciated. :bigthumb:
Ok, I've downloaded SmitfraudFix and done the search like you said (did it from a normal startup - not safemode)
here is the result:
SmitFraudFix v2.81
Scan done at 8:40:08.46, Wed 09/08/2006
Run from E:\Documents and Settings\Dave\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» E:\
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32
E:\WINDOWS\system32\st3.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\Dave\Application Data
E:\Documents and Settings\Dave\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
E:\DOCUME~1\Dave\STARTM~1\Programs\BraveSentry FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\Dave\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Ok, that's it.
Will wait for a reply before I proceed with the rest of your instructions.
Thanks,
Nameless_One
nameless_one
2006-08-09, 03:53
oh, forgot to ask.
Can I still use the internet for basic things like checking emails at the moment, or am I better off waiting until we've fixed this?
pskelley
2006-08-09, 04:34
My intentions were for you to complete all of the instructions, please continue with them and post that HJT log I requested.
Restart the computer and post a new HJT log along with any comments you think will help.
SmitfraudFix did locate the infection, use this link for instructions, you already have the tool.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click smitfraudfix.cmd
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the C:\rapport.txt
You can send and receive email, just do not open any attachments, even if you know the person.
Thanks
nameless_one
2006-08-13, 06:46
Hi.
I'm up to 'run ATF Cleaner' in the instructions in your first post to me.
I've done everything except delete 'atiphexx.exe' through explorer (all the red text you've written above run ATF Cleaner).
I've already deleted the atiphexx.exe entry in Hijackthis, but when I did a search for atiphexx.exe, it shows 2 entries. 1 is in windows/system32 like you thought, the other is in 'E:\Program Files\ATI Technologies\ATI Control Panel'.
Seeing as I have an ATI graphics card and a control panel in the taskbar, I thought I'd double-check with you just in case.
Please post quick reply as I'd like to finish the rest of your first list of instructions before this afternoon if possible :bigthumb:
Thanks,
Nameless
pskelley
2006-08-13, 13:20
Please see this: http://www.bleepingcomputer.com/startups/atiphexx.exe-9865.html
http://www.sophos.com/security/analyses/w32agobotnv.html
This worm will move itself into the Windows System32 folder under the filename ATIPHEXX.EXE and may create the following registry entries so that it can execute automatically on system restart:
Of course ATI is your sound card, if you will take the time to read the information in the Sophos link you will better understand how this worm infected you. According to the information I find, it will be in the System 32 folder. HJT may remove it before you look for it. If your recycle bin has not be bypassed, and the file is there, it will be moved to the bin and you can let it set there for a couple of days before you delete it permanently. Here are free online scans if you want a confirmation of the fact the file is malware:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Leave this program alone: 'E:\Program Files\ATI Technologies\ATI Control Panel
Thanks
nameless_one
2006-08-15, 13:32
Ok.
I've finished everything in your 1st post (deleted 'atiphexx.exe' <both>, run 'ATF Cleaner' and updated Java)
HJT Log follows:
Logfile of HijackThis v1.99.1
Scan saved at 6:30:58 PM, on 15/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Winamp\Winampa.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Google\Google Talk\googletalk.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\System32\wuauclt.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RegKillElbyCheck] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "E:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
----------------------
Ok.
Now that that's done, I go through the stuff in your 2nd post, right?
(using Smitfraudfix)
Thanks.
pskelley
2006-08-15, 15:05
Ok. Now that that's done, I go through the stuff in your 2nd post, right?
(using Smitfraudfix)
If you have not followed the instructions to run SmitfraudFix on this date: 2006-08-08, 21:34 Please do so, post the C:\rapport.txt
and a new HJT log. Let me know how the computer is running. You understand I responded to your post on 8/6/266 and today is 8/15/2006. This is taking way to long, you need to stay after this.
Thanks
nameless_one
2006-08-16, 14:58
Hi.
Yeah, tell me about it. I know it's taking too long. There are other factors, but the one that's my fault is that I'm addicted to SW Empire at War at the moment which I play on my brother's pc during the day, but have to be off by 5:00pm so he can use it. (have massive game addiction unfortunately, something to do with OCD). (Sorry, didn't finish explaining, but it's more important to just get on with this, right?)
Anyways, I downloaded & installed the Java update that the post you linked me to recommended. ("JRE 5.0 Update 8"). I thought it would just update the one I already had ("JRE 5.0 Update 1"), but when I went to add/remove in control panel, they were both there:
["JRE 5.0 Update 1" (115mb?) AND "JRE 5.0 Update 8" (127mb)]
So after installing "JRE 5.0 Update 8" and restarting pc, then opening browser (Firefox) and doing the install verification thingy,
I 'removed' "JRE 5.0 Update 1".
-------------------------------------------------------------------------
Now, I've just done the Smitfraudfix, and here is the 'e:\rapport.txt':
SmitFraudFix v2.81
Scan done at 18:38:51.54, Wed 16/08/2006
Run from E:\Documents and Settings\Dave\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
E:\WINDOWS\system32\st3.dll Deleted
E:\Documents and Settings\Dave\Application Data\Install.dat Deleted
E:\DOCUME~1\Dave\STARTM~1\Programs\BraveSentry Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
------------------------------------------------------------
And here is a new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:43:13 PM, on 16/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\Winamp\Winampa.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Google\Google Talk\googletalk.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RegKillElbyCheck] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "E:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
------------------------------------------------------------
Now, one problem I noticed while I was doing the Smitfraudfix in safemode (and the problem is nothing new, I'll clear that up now).
After I typed '2' & 'enter' to delete the infected files, it was about halfway through when it brought up the standard 'Windows Disk Cleanup' [ie: right-click on C:\ in 'My Computer', click properties, click 'disk cleanup' and it'll go through and tally everything up and then give you a total of how much space you'll free up by doing the Cleanup]
*** Now, the 'Disk Cleanup' aside, the Smitfraudfix went smoothly and finished without a problem, so I'll clear that up. The problem continues below:
<* I know this is normal, but my problem is that you wait several minutes, and the Disk Cleanup 'calculating' never progresses beyond '4 bars'.
It's been like this since 2 or 3 weeks after getting the computer.
I've had the same problem on the older pc in my room ever since installing Windows XP and I've tried the Disk Cleanup on that one and left it for 2 or 3 hours and it still hasn't progressed beyond '4 bars' - and this is just calculating, it hasn't even started cleaning up yet!>
* I'm assuming it's not virus-related or anything, but it's something I'd like to sort out without re-formatting, if possible. I was just wondering if you'd ever heard of it or had any ideas.
Sorry for the rambling and Please let me know if I've left anything out.
PS. I would like to talk about protecting my pc, but I want to sort this out first, so I'll wait for your reply to this, then ask you about the virus checkers & the like (it'll be less confusing if it's in a seperate post).
Thanks
pskelley
2006-08-16, 16:43
First let me say the HJT log is clean and showing no malware, let me give you my closing information, it may well answer all of your questiongs except the ones about disk cleanup.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
I see you are running and old version of ewido. I would uninstall that. The decision as to downloading the new version 4.0 is up to you. The above instructions would also apply to the new version.
Here is the google on your Disk Cleanup issue:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=Disk+Cleanup+troubleshooting
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=Disk+Cleanup+freezes
I'll ask tashi:) not to close your topic for a few days in case you have additional questions.
Thanks...phil
nameless_one
2006-08-21, 12:29
Hi.
Thanks for your reply and all your help so far.
I'm still going through all the links you've given me (I've only started today, haven't used the pc at all except for email.).
It was good to see that I'm not the only one with the disk-cleanup problem.:D:
The only problem I've found is that Firefox now has a problem every now & then & it will say it has an error and shut down Firefox.
I didn't write down the message but I'll copy it down as soon as it happens again. All I was doing was going through my hotmail account and checking messages I couldn't look at while I was fixing the pc. Some of them have attatchments, but they consist only of one or two jpegs (I never open anything but image files from emails) and I've never had a problem with them before.
I think it might have something to do with me updating Java.
* I downloaded & installed the Java update that the post you linked me to recommended. ("JRE 5.0 Update 8").
I thought it would just update the one I already had ("JRE 5.0 Update 1"),
but when I went to add/remove in control panel, they were both there:
["JRE 5.0 Update 1" (115mb?) AND "JRE 5.0 Update 8" (127mb)]
So after installing "JRE 5.0 Update 8" and restarting pc, then opening browser (Firefox) and doing the install verification thingy,
I 'removed' "JRE 5.0 Update 1".
I'm not sure if this could be the reason.
Would you like me to post a new HJT log?
Thanks
pskelley
2006-08-21, 13:25
Looking at the information you posted, I have been seeing Internet Explorer doing that because of a bad Microsoft patch in the last batch that they are going to correct next month , but I have not heard of it happening in Firefox. Is your version of Firefox up to date?
http://netsquirrel.com/movies/firefox/update_firefox/movie.htm
If you google that exact error message (word for word) chances are you will get your answer.
I would not open an attachment in hotmail I was not 100% sure of, have hotmail scan that attachment to make sure it is safe, that is good policy with all attachments. This applies to even if you know who the email is coming from. If a friend who has you in their address book gets an infection, you can get email in an attempt to infect you also.
Thanks to rstones12 with help from Michelle, here is information about updating Java.
Updating Java and Clearing Cache
Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
http://www.java.com/en/download/manual.jsp (http://www.java.com/en/download/manual.jsp)
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.
Here are a couple of troubleshooting forums that may be able to help:
http://forums.tomcoyote.org/index.php?showforum=83
http://www.bleepingcomputer.com/forums/forum56.html
http://pcpitstop.com/ <<< diagnostic
Thanks
pskelley
2006-08-25, 22:00
Safe surfing to you, I will ask tashi:) to close this topic when she can get to it.
Thanks
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.