PDA

View Full Version : Smitfraud-C



Piink
2006-08-25, 06:18
I think I'm in the right spot.. I followed the directions step-by-step here (http://forums.spybot.info/showthread.php?t=4015). So here goes...


SmitFraudFix v2.81

Scan done at 20:55:57.87, 08/24/2006
Run from C:\Documents and Settings\Will\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\web.exe Deleted
C:\WINDOWS\system32\wp.bmp Deleted
C:\DOCUME~1\Will\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

HKLM\SOFTWARE\SHUDDERLTD Deleted

HKLM\SOFTWARE\PSGuard.com Deleted

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Piink
2006-08-25, 06:18
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:37:14 PM, 08/24/2006
+ Report-Checksum: 88195341

+ Scan result:

:mozilla.28:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\rjrbycj3.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup


::Report End

Piink
2006-08-25, 06:19
Logfile of HijackThis v1.99.1
Scan saved at 11:05:08 PM, on 08/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Oleansoft\Hcc\Hcc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Netopia\C3kWEPn.exe
C:\WINDOWS\notepad.exe
C:\Program Files\AIM05\aim.exe
C:\PROGRA~1\PicoZip\PicoZipTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Will\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = "Wink Dinkerson"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HCClient] C:\Program Files\Oleansoft\Hcc\Hcc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWEPn.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM05\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM05\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://streak.fimc.net:8000/Java/cfs31235.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {060239F1-8B5B-4F2B-814C-28F92FDCE231} (MortgageReportsLOS2.FileRetriever) - https://www.mortgagereports.net/secured/activex/los/MortgageReportsLOS2.CAB
O16 - DPF: {08952575-918C-2D96-91EC-433D76D7EAC6} - http://66.246.197.126/1/gdnUS2218.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab_adult/180solutions/ie/bridge-c24.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121469675768
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} -
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_204/webolr/OCX/FlashAX.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{615E40FF-41F1-43AB-9D81-8E91BBC55225}: NameServer = 192.168.1.254
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\System32\PGPsdkServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Piink
2006-08-25, 07:44
Also, I now realize my boyfriend didn't have his HJT in a permanent folder, he already had it installed when I was going through all of the pages (I saw on another page it needs it's OWN folder) If that is an issue, I can reinstall it!


From the Panda Scan::


Incident Status Location

Adware:adware/cashsaver Not disinfected c:\windows\system32\CSUninstall.exe
Hacktool:hacktool/rootkit.d Not disinfected c:\windows\system32\klo5.sys
Adware:adware/cws.searchmeup Not disinfected c:\windows\system32\newdial1.exe
Spyware:spyware/iehelp Not disinfected c:\windows\downloaded program files\ipreg32.inf
Adware:adware/savenow Not disinfected c:\windows\downloaded program files\WUInst.inf
Adware:adware/securityerror Not disinfected c:\documents and settings\all users\start menu\Online Security Center.url
Adware:adware/superspider Not disinfected c:\windows\dl.exe
Adware:adware/crystalys Not disinfected c:\program files\Crystalys media
Adware:adware/sidesearch Not disinfected c:\program files\Lycos
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/elitebar Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Will\Desktop\SmitfraudFix\Process.exe

Piink
2006-08-25, 07:53
I was worried about it not being in it's own folder, so I redownloaded HTJ and now I am all good. Here is the report. Sorry about all the posts!

Logfile of HijackThis v1.99.1
Scan saved at 12:52:09 AM, on 08/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Oleansoft\Hcc\Hcc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Netopia\C3kWEPn.exe
C:\Program Files\AIM05\aim.exe
C:\PROGRA~1\PicoZip\PicoZipTray.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccVScan.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = "Wink Dinkerson"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HCClient] C:\Program Files\Oleansoft\Hcc\Hcc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWEPn.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_2] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\drmclien.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_4] C:\WINDOWS\System32\regsvr32 /s "C:\WINDOWS\System32\drmv2clt.dll"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM05\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM05\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://streak.fimc.net:8000/Java/cfs31235.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {060239F1-8B5B-4F2B-814C-28F92FDCE231} (MortgageReportsLOS2.FileRetriever) - https://www.mortgagereports.net/secured/activex/los/MortgageReportsLOS2.CAB
O16 - DPF: {08952575-918C-2D96-91EC-433D76D7EAC6} - http://66.246.197.126/1/gdnUS2218.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab_adult/180solutions/ie/bridge-c24.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121469675768
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} -
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_204/webolr/OCX/FlashAX.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{615E40FF-41F1-43AB-9D81-8E91BBC55225}: NameServer = 192.168.1.254
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\System32\PGPsdkServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

LonnyRJones
2006-08-29, 21:41
Hi Piink

Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O16 - DPF: {08952575-918C-2D96-91EC-433D76D7EAC6} - http://66.246.197.126/1/gdnUS2218.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab_ad...bridge-c24.cab
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete these files and folders, be carefull.
C:\WINDOWS\System32\msmsgs.exe
c:\windows\dl.exe
c:\program files\Crystalys media
c:\program files\Lycos
c:\windows\system32\CSUninstall.exe
c:\windows\system32\klo5.sys
c:\windows\system32\newdial1.exe

How did that go ?

Do you have spyBot 1.4 installed ?

You should uninstall your ewido program and go get the new version, update then do a full system scan and have it take recommended actions
Post a fresh hijackthis log please, be sure to mention any current problems.

Piink
2006-08-30, 03:53
How did that go ?

These two files were not in the HJT log, therefore could not be checked and fixed.
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe

Couldn't find this file to delete it.
C:\WINDOWS\System32\msmsgs.exe

Do you have spyBot 1.4 installed ?
Yes.

You should uninstall your ewido program and go get the new version, update then do a full system scan and have it take recommended actions.

I finished the scan and nothing was found.


Here is my new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:48:45 PM, on 08/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Oleansoft\Hcc\Hcc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Netopia\C3kWEPn.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\PicoZip\PicoZipTray.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = "Wink Dinkerson"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar

V35\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HCClient] C:\Program Files\Oleansoft\Hcc\Hcc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWEPn.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM05\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM05\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://streak.fimc.net:8000/Java/cfs31235.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {060239F1-8B5B-4F2B-814C-28F92FDCE231} (MortgageReportsLOS2.FileRetriever) -

https://www.mortgagereports.net/secured/activex/los/MortgageReportsLOS2.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) -

http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121469675768
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} -
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) -

http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156555623704
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) -

http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) -

https://register3.valueactive.com/mpp_204/webolr/OCX/FlashAX.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) -

http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{615E40FF-41F1-43AB-9D81-8E91BBC55225}: NameServer = 192.168.1.254
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware

4.0\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\System32\PGPsdkServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Piink
2006-08-30, 04:07
Unfortunately, after running SpyBot, it still found Smitfraud-C but still is failing to fix the problems...

Piink
2006-08-30, 04:21
Here are the entries from Smitfraud-C from my Spybot report.

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dl.ad-ware.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fuck-fuck.org\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\love-catalog.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\makechoice.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\meetyourfriend.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msnprotection.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\new.8ad.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.remove.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s2.kav.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\terra.hcworld.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracking.allposters.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\visitfriend.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webpidor.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.6o9.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-808743801-963918322-4271176276-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.niger.ru\*!=W=4

LonnyRJones
2006-08-30, 11:10
Download this file to your desktop
http://www.mvps.org/winhelp2002/DelDomains.inf
Close all browsers, right-click and select: Install
It realy doesnt install, just clears all sites in the domains and Ranges keys.
Afterward's you will need to immunize again in SpyBot and re-protect again with SpywareBlaster or re-install iespyadds (if they are installed) then the file itself can be deleted (DelDomains.inf)


Hacktool:hacktool/rootkit.d Not disinfected c:\windows\system32\klo5.sys
Read here and let me know if any files mentioned are present on your PC
http://www.sophos.com/virusinfo/analyses/trojhaxdorfam.html
dont delete any yet

Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

Piink
2006-08-30, 22:41
I went to the site you recommended I look for files if they were on my computer or not and I found 2 for sure on my computer, and one that might be simliar. I'm not quite sure but I'll tell you anyway.

The bold is what files I searched for.
DEBUG.DLL > I found Debug.exe in both the C:\Windows\System32 folder and C:\I386 folder.
P2.INI > FOUND > C:\Windows\System32
PS.A3D > FOUND > C:\Windows\System32


Scan Report from F-Secure Blacklight

08/30/06 14:49:59 [Info]: BlackLight Engine 1.0.46 initialized
08/30/06 14:49:59 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/30/06 14:49:59 [Note]: 7019 4
08/30/06 14:49:59 [Note]: 7005 0
08/30/06 14:50:04 [Note]: 7006 0
08/30/06 14:50:04 [Note]: 7011 1064
08/30/06 14:50:04 [Note]: 7026 0
08/30/06 14:50:04 [Note]: 7026 0
08/30/06 14:50:10 [Note]: FSRAW library version 1.7.1019
08/30/06 14:58:21 [Note]: 7007 0



NOTE: I also went back and found these on HJT so I checked and fixed them as you advised earlier.
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe

Also, Spybot is not finding ANY problems now :)

LonnyRJones
2006-08-31, 00:58
Go ahead and delete these two
P2.INI > FOUND > C:\Windows\System32
PS.A3D > FOUND > C:\Windows\System32
========
And submit the other here
C:\Windows\System32\DEBUG.DLL
http://www.virustotal.com/flash/index_en.html

Are there any current problems ?

Piink
2006-08-31, 03:44
I deleted the two files you said to delete, I also ran the two files through that link you sent me two, they had no viruses whatsoever. Spybot has returned clean and with no problems two times now! The only problem is that my mouse goes crazy every once in awhile now, it just moves all over and clicks random things. I'm not sure why, could that be another virus? Other than that, my computer is much better.

Thank you very much! :bigthumb:

Piink
2006-09-01, 02:43
Okay, I know that I just said my mouse was being weird, but after it happened to my boyfriend, he thinks it's a virus or something like that.

This is the problem, my mouse is randomly moving around the screen, very fast at times, but then it right-clicks and also left-clicks on random internet pages, the desktop and such. It's getting really annoying, because it's making desktop properties come up, closing webpages, and windows.

LonnyRJones
2006-09-01, 12:24
Hi
Do you have a wireless mouse ?
Or perhaps speech recognition turned on

tashi
2006-09-05, 02:43
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.