View Full Version : virusbursters and fmaily resident on my machine
TheBRAIN33
2006-11-08, 13:59
Hello, all..
I have been infected with virusbursters, smitclient, ZLog and all the other newest and greatest slimeware ... I wasn't even doing anything slimy myself, i was trying to copy my kid's DVD's and needed an image creator, downloaded a codec and yadda yadda yadda I had the bisque. I've been at this 2 days and have read and heard a lot of high praise for you folks so here goes.....
I've installed and scanned with " AVG (free), BitDefender, Kaspersky, Spyware Doctor. and Spybot S&D. I'm having a problem with safe mode : neither my desktop nor any icons will appear so I have to do everything from the cmd prompt... very annoying. I'm up and running, but kaspersky and spybot are still telling me about three times a day I'm still infected even after successful removal of the infected files.
Lastly, I have one image file (a .HVD file) made with magicISO (since uninstalled) on my desktop that I CAN NOT DELETE.... (driving me nuts) The warning window says its in use by another user or process ( which is not true) there are no other users on the machine and the window says the same thing even in safe mode. I have to delete that file before i go nuts -- and also remove my malware.
Sorry to be long-winded, but I need some instruction on how to post my log to this forum so you can have a look at it.
Thanks in advance....
Jeff
pskelley
2006-11-08, 15:39
Hello Jeff and welcome to the forum, please be advised that most forums Pin the information you need at the top of the page. These two links are a must before you can proceed, but I suggest you review all Pinned (Sticky) information.
UPDATED WINDOWS - Your first line of defence, links and tips
http://forums.spybot.info/showthread.php?t=425
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288
You can so find posted in the same place these instructions, if this is your infection: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.
Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.
Thanks
TheBRAIN33
2006-11-08, 21:06
Hi, PSKELLEY,
I am having some trouble, as i can't do much in safe mode since all I have is a black screen ( with "safe mode" in all 4 corners and the build info at the top of the screen)
I read carefully the "self-help" instructions on the link you provided, and sadly w/o a safe-mode desktop, I'm limited to CMD functions.
That being said, here are the three logs I've generated:::
From Micro-Trend on-line scan:
#Trend Micro HouseCall - Storage of detected incidents
#Wed Nov 08 13:34:51 AST 2006
scanned.pattern.type=malware,grayware,system.grayware,vulnerability.software
system.username=The Brain
infectivethreats.failed.reason=
infectivethreats.type=
created=2006-11-08 12\:53\:18 AST
personalize=false
infectivethreats.amount=1,1,1,1,1,1,1,1,1
vulnerabilities.type=software
system.ip=192.168.2.11
scanned.pattern.version=391100,42700,42700,5400
system.architecture=x86
infectivethreats.class=grayware,grayware,grayware,grayware,grayware,grayware,grayware,grayware,grayware
infectivethreats.failed.amount=
infectivethreats.removed=1,1,1,1,1,1,1,1,1
scanned.count=131315,131315,55607,178
scanned.engine.version=831001002,831001002,500001060,398001012
infectivethreats=COOKIE_AZJMP,COOKIE_2O7,TSPY_LDPINCH,TSPY_SMALL,ADWARE_MEMWATCHER,ADWARE_BHO_MYWAY,COOKIE_TACODA,ADWARE_BRILLIANTDIGITALENTERTAINMENT,COOKIE_MEDIAPLEX
scanned.engine.type=main,main,system,system
vulnerabilities=MS06-061
send.report.key=7582647
infectivethreats.failed=
domain=housecall65.trendmicro.com
implementation=html/java
>>> I implemented corrections: :
and a second scan resulted in ::
#Trend Micro HouseCall - Storage of detected incidents
#Wed Nov 08 14:37:12 AST 2006
scanned.pattern.type=malware,grayware,system.grayware,vulnerability.software
system.username=The Brain
infectivethreats.failed.reason=
infectivethreats.type=
created=2006-11-08 12\:53\:18 AST
personalize=false
infectivethreats.amount=1
vulnerabilities.type=software
system.ip=192.168.2.11
scanned.pattern.version=391100,42700,42700,5400
system.architecture=x86
infectivethreats.class=grayware
infectivethreats.failed.amount=
infectivethreats.removed=1
scanned.count=131327,131327,57031,178
scanned.engine.version=831001002,831001002,500001060,398001012
infectivethreats=ADWARE_BHO_MYWAY
scanned.engine.type=main,main,system,system
vulnerabilities=MS06-061
send.report.key=7583249
infectivethreats.failed=
domain=housecall65.trendmicro.com
implementation=html/java
I ran Spybot scan (in safe mode from CMD ) and came up with ::
--- Report generated: 2006-11-08 14:46 ---
Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkihif
Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-07 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-03 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-03 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-03 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-03 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-03 Includes\PUPSC.sbi (*)
2006-11-03 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-03 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-03 Includes\Trojans.sbi (*)
2006-11-03 Includes\TrojansC.sbi (*)
Spybot fixes::
--- Report generated: 2006-11-08 14:50 ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkihif
Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-07 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-03 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-03 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-03 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-03 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-03 Includes\PUPSC.sbi (*)
2006-11-03 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-03 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-03 Includes\Trojans.sbi (*)
2006-11-03 Includes\TrojansC.sbi (*)
I got all green results after the above noted fixes. After a reboot, I ran the HijackTHIS scan and logged the following:
Logfile of HijackThis v1.99.1
Scan saved at 3:48:18 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\The Brain\Desktop\Hijack THIS\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I really hope I followed your directions correctly, I know you guys/girls must be extremely busy. If I can make any of this easier on you please let me know. I very very much appreciate your help and this forum and have already started bragging you guys up to a couple of tecchie friends of mine (because of the quick response)... I'll be talking with you .
Cheers!
Jeff
pskelley
2006-11-08, 21:41
OK Jeff, it is so important that you take the time to read and follow the directions. Please post only what I request:
Whatever you have posted is not a Scan report, I really don't know what it is, and the Spybot log was not reqested at this time.
For some reason your log is formated, please look under Format in Notepad and make sure "Word Wrap" is not checked. The log should not be stretched like that, look at all of the other HJT logs.
Let's start over please and I will not use Safe Mode unless I have to though you should be able to enter Safe Mode at will. This is a very important diagnostic mode, not only will these tools work better when the malware programs are not running, but it is much better to do your maintenance in Safe Mode.
Please read and follow these directions carefully:
1) You are running two antivirus programs at the same time and this is not a good thing.
Kaspersky Anti-Virus 6.0 and Grisoft\AVGFRE~1
They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
2) To see if Smitfraud is present, follow these directions:
Thanks to S!Ri, and any others who helped with this fix.
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
(this means if the antivirus program you keep tries to block process.exe, you must allow it or the tool will not work!)
3) Your Java program is out of date, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\
Recap:
* uninstall one ot the antivirus programs, update and run the other.
* download and run SmitfraudFix "Search" function only and post those results for me.
* update your Java program, make sure all old version in Add Remove programs are uninstalled.
* Post a new HJT log also with no formating.
Thanks
TheBRAIN33
2006-11-09, 00:51
Hi PSK...
Sorry for being a numb-twad (:oops: ), but there is a ton of info that reads like Japanese for someone like me... I read some of your other help threads and there is a common theme where people are not reading and following so I admire your patience-- but I digress...
I did the things you told me to (Kaspersky now running solo).. and the results from the rest are:
From SMITFRAUDFIX:
SmitFraudFix v2.119
Scan done at 19:23:38.76, Wed 11/08/2006
Run from C:\Documents and Settings\The Brain\Desktop\smitfraud desk\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Brain
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Brain\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\THEBRA~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
and the newest HJT log::
>> I added the log below with word-wrap unchecked :laugh: ....<<
Logfile of HijackThis v1.99.1
Scan saved at 7:25:11 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\The Brain\Desktop\Hijack THIS\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PSKelly, If I got the above wrong, I'm hopeless.. I did it over three times...
Do you think that removing this slop-ware will fix my Windows Safe mode ?
--> Oh, I almost forgot to add the results of my PandaScan.. I'll paste it below....
(just kidding...;) )
Cheers!
Jeff
pskelley
2006-11-09, 01:22
Hi Jeff and thanks for your efforts:bigthumb: Let me ask about this item:
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
http://www.file.net/process/p0630pin.dll.html
is it this: The camera is a Creative WebCam Live. Its a USB2 model.
What can you tell me about this item? Is it valid?
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
For starters, Smitfraudfix shows no evidence of that infection? Your HJT log, besides the couple of items I asked about above, looks clean.
As far as Safe Mode, I need more information about what occurs, here is another look at how to access Safe Mode:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
Please try to download and run ATF-Cleaner again, here is a tutorial for using it:
http://forums.security-central.us/showthread.php?t=1925
and the instructions for downloading:
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Before I do anything else, I need some feedback from you. Are you still having any malware issue at all? If so, please describe them in detail and post any error messages you are receiving "word for word"
Thanks
TheBRAIN33
2006-11-09, 02:59
Hi again, PSKelly!
re:O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
http://www.file.net/process/p0630pin.dll.html
is it this: The camera is a Creative WebCam Live. Its a USB2 model.
this is my webcam I bought it about a month ago from a retail store.
re: What can you tell me about this item? Is it valid?
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
Eastlink was my previous ISP company until about a month ago, then I switched to Aliant Telecoms. Both are very reputable, "big money" firms. I can only tell you I recognize the "eastlink" name, I have no idea what the rest of the script refers to. Both services are broadband ISP's, eastlink being a cable (like a TV cable) internet service.
regarding safe-mode, I know two ways to access it, 1) through MSConfig under the task tab and 2) pushing F8 during startup.. in both cases, the system continues startup until immediately following the "welcome" screen (windows XP) when the desktop flashes for a second then goes black leaving only the "safe mode" texts in each corner of the screen and the Windows XP build info at the top. For a moment, the window pops up that informs me I'm working in safe mode - some operations may not function etc.. with a "yes" box to continue working in safe-mode and a "no" box to to open a restore point. If you click "yes" the screen returns to black and "no" also returns to black but the restore indow opens and functions as per normal. The only way I can work in safe-mode is to "CTRL-ALT-DEL" open the CMD prompt and poke away at my 20 year old DOS knowledge accessing programs that way. A real pain in the neck and some things I can't get at because I forget the commands to get to them. anyway... that's the scoop on safe mode.
I am still having malware issues, I had a red balloon w/ a yellow ! in my notification bar that blips and spits out that my computer is infected with spyware. The blip provides a link to WinAntivirus and very often the blip is accompanied by a bright yellow balloon next to it with a blue or black "X" in it. Neither of them will go away no matter what I do. Everytime I run a scan using Spyware Dr., Kaspersky, AVG, or BitDefender I get infections found. I heal/delete the findings and run a second scan and it comes out clean. If I close windows and boot up then do a scan they're back. Furthermore, the Virusbursters directory is permanently in my program files directory and I cannot delete it at all. Same goes for toolbar888. Now, there's something I didn't tell you before. Yesterday I installed TuneUp Utilities 2006 and did all kinds of cleaning, registry defrag etc. I also used the "Windows Startup" utility and turned everything off at startup except for kaspersky and ZoneAlarm. Now, only those two programs start at windows startup and the red and yellow balloons are not appearing. HOWEVER, all that being said, about avery half-hour to 45 minutes Kaspersky pops open and tells me to delete "adware not-a-virus:AdWare.Win32.Agent.at" and occasionally tells me to block a malicious http address:
- 11/8/2006 7:13:51 PM Malicious HTTP object <http://82.98.235.61/execpyd.exe?uid=282EF5986D3F11DBBE2800167647FA98&guid=8c4e9e56+DFF1692788E64EAAA097460B7E65289B>: access denied.
( I did copy and smash the link using Brute Force Uninstaller ) I haven't seen that for a few hours now. Please understand that this is going on constantly.. in fact, ( I hope you don't mind) here's a rundown of what kaspersky's been up to .....
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Program Files\Common Files\{8C4E9E56-0BB0-1033-0331-060506210001}\Update.exe
not found: Trojan program Trojan.Win32.Agent.vg Running module: winlogon.exe\winhoo32.dll
deleted: Trojan program Trojan.Win32.Agent.vg File: C:\WINDOWS\system32\winhoo32.dll
deleted: malware not-virus:Hoax.Win32.Renos.gb File: C:\WINDOWS\SYSTEM32\OKKMTV.DLL
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Program Files\Common Files\{3C4E9E56-0BB0-1033-0331-060506210001}\MyToolBar.dll
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\WINDOWS\system32\jfsuebdm.exe
detected: adware not-a-virus:AdWare.Win32.Agent.at URL: http://82.98.235.61/execpyd.exe?uid=282EF5986D3F11DBBE2800167647FA98&guid=8c4e9e56+DFF1692788E64EAAA097460B7E65289B
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030114.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\DOCUME~1\THEBRA~1\LOCALS~1\Temp\xlafmpuj.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\DOCUME~1\THEBRA~1\LOCALS~1\Temp\obhjgino.exe
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030118.dll
deleted: malware not-virus:Hoax.Win32.Renos.gb Running module: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030122.dll
deleted: adware not-a-virus:AdWare.Win32.180Solutions.as File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP160\A0030983.exe/UPX
deleted: adware not-a-virus:AdWare.Win32.Softomate.u Running module: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP160\A0031039.dll
deleted: adware not-a-virus:AdWare.Win32.Softomate.u Running module: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032034.exe
deleted: malware not-virus:Hoax.Win32.Renos.gb Running module: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032038.dll
deleted: adware not-a-virus:AdWare.Win32.Softomate.u Running module: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032042.dll
deleted: Trojan program Trojan.Win32.Agent.vg Running module: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032051.dll
deleted: adware not-a-virus:AdWare.Win32.Agent.at Running module: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032062.exe
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temp\win1AD.tmp.exe/stream/data0003
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temp\win1AD.tmp.exe/stream/data0004
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temp\win1AD.tmp.exe/stream/data0005
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temp\win1AD.tmp.exe/stream/data0007
deleted: Trojan program Trojan-Downloader.Win32.PurityScan.dc File: C:\Documents and Settings\The Brain\Local Settings\Temp\win1B4.tmp.exe/data0002/UPX
deleted: Trojan program Trojan-Dropper.Win32.Agent.axq Running module: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\antzom[1].exe
deleted: Trojan program Trojan-Downloader.Win32.PurityScan.dc Running module: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\70EVAK9Q\mulbin32[1].exe
deleted: Trojan program Trojan-Downloader.Win32.PurityScan.dc File: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\70EVAK9Q\mulbin32[1].exe/data0002/UPX
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\EX1UJQLS\122[1].net/stream/data0004
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\116[1].net/stream/data0004
deleted: adware not-a-virus:AdWare.Win32.Softomate.u Running module: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\wlzip32[1].exe
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\wlzip32[1].exe/stream/data0003
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\wlzip32[1].exe/stream/data0004
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\wlzip32[1].exe/stream/data0005
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\wlzip32[1].exe/stream/data0007
not found: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\Program Files\Common Files\{8C4E9E56-0BB0-1033-0331-060506210001}\services.dll
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\Program Files\VSAdd-in\VSAdd-in.dll
deleted: adware not-a-virus:AdWare.Win32.Softomate.u Running module: C:\WINDOWS\temp\b116.exe
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\WINDOWS\temp\b116.exe/stream/data0004
deleted: adware not-a-virus:AdWare.Win32.Softomate.u Running module: C:\WINDOWS\temp\b122.exe
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\WINDOWS\temp\b122.exe/stream/data0004
deleted: adware not-a-virus:AdWare.Win32.Softomate.u Running module: C:\WINDOWS\temp\winCE.tmp.exe
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\WINDOWS\temp\winCE.tmp.exe/stream/data0003
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\WINDOWS\temp\winCE.tmp.exe/stream/data0004
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\WINDOWS\temp\winCE.tmp.exe/stream/data0005
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\WINDOWS\temp\winCE.tmp.exe/stream/data0007
deleted: Trojan program Trojan-Downloader.Win32.PurityScan.dc Running module: C:\WINDOWS\temp\winD5.tmp.exe
deleted: Trojan program Trojan-Downloader.Win32.PurityScan.dc File: C:\WINDOWS\temp\winD5.tmp.exe/data0002/UPX
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032120.dll
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032121.dll
deleted: adware not-a-virus:AdWare.Win32.Softomate.u File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0032122.dll
not found: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\WINDOWS\system32\ishost.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv Running module: ishost.exe\ishost.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv Running module: ismini.exe\ismini.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\WINDOWS\system32\ismini.exe
deleted: Trojan program Trojan.Win32.BHO.g File: c:\windows\system32\lihavfgg.dll
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030109.dll/PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030110.exe/PE_Patch/UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030111.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030112.exe/PE_Patch/UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030113.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030116.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030117.exe
deleted: Trojan program Trojan.Win32.BHO.g File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030119.dll
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP151\A0030120.dll/PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032033.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032058.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032086.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032100.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0032117.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0032124.dll
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0032144.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0032155.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0032167.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0032177.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0032183.exe
deleted: Trojan program Trojan.Win32.BHO.g File: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\4ec.9FBCC16201C70264.history\00000007.bak
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\4ec.9FBCC16201C70264.history\00000008.bak/PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.auv File: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\EX1UJQLS\l11[1].exe/PE_Patch/UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\Program Files\iVideoCodec\iesuninst.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\Program Files\iVideoCodec\isauninst.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\Program Files\iVideoCodec\pmuninst.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\WINDOWS\system32\dafusvvy.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\WINDOWS\system32\hinwvjie.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\WINDOWS\system32\wlvsxayn.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0034207.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0034208.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aus File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0034209.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0034211.dll
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0034216.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0034217.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0034219.exe
deleted: virus Worm.Win32.VB.an File: C:\Documents and Settings\The Brain\Desktop\LIME Music\MindSoft Utilities XP 9.0.zip\Setup.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\DOCUME~1\THEBRA~1\LOCALS~1\Temp\hfgligot.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\Documents and Settings\The Brain\Local Settings\Temporary Internet Files\Content.IE5\7JY5TPLA\execpyd[1]
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP172\A0038737.dll
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\WINDOWS\system32\ctfqlpqm.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\WINDOWS\system32\ffmvnadm.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\WINDOWS\system32\iuidgila.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\WINDOWS\system32\vkdqqpwo.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.at File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP173\A0039119.exe
The oldest ones (late yesterday) are at the top and the newest ones are on the bottom ( a few minutes ago). I have a kaspersky activity log also but I won't post it unless you want it.
I also d/l'd a ran ATF cleaner a few minutes ago.
If you don't mind, I'm going to log-off, and reboot with TuneUp Utilities "windows Startup" utility turned off and run a HJT scan and log and a smitfraud scan and log... see if they're different than above. Actually, I'll wait until I hear back from you before i go scanning, logging posting and cluttering up the thread.....
Talk to you soon ...
Jeff
TheBRAIN33
2006-11-09, 03:26
PSK..
I did some reading and found out that safe-mode uses a different (simpler) video driver than in normal mode. Mine must have gotten deleted in one of my 85 or so scan and delete fits I've had over the last few days. Any idea what file or driver may be missing ?? It would be cool to be able to get into safe-mode for the fixes/maintenance i will need to do soon >>??!!
Cheers!
Jeff
pskelley
2006-11-09, 13:17
Thanks Jeff, for the feedback, looking at your comments:
If you not longer use this AxtiveX, you can use HJT to remove it:
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
regarding Safe-Mode
Perhaps System File Checker can replace the missing file:
Click Start > Run, type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files and will hopefully fix things. You may need your XP disc in your CD drive for this. Let me know if this helps.
Please make sure you have the newest version of Smitfraudfix from this link:
http://siri.geekstogo.com/SmitfraudFix.php
and follow these directions:
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
(if you can't get to safe mode, run it in normal mode)
Double-click smitfraudfix.cmd
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Winfixer is a rouge spyware product that is a clue that you probably have a hidden Vundo trojan, please return to:
C:\Documents and Settings\The Brain\Desktop\Hijack THIS\HijackThis.exe <<< right click and rename it to TheBRAIN33.exe or whatever you wish. The next log should show us the BHO's and 020's the hackers have hidden.
Kaspersky is a good program, I did ask you to run it after removing the AVG program. It seems to have removed some stuff (may have been the other AV keeping it from functioning properly prior to this?) I note a lot of stuff in System Restore, please do not use SR as all of the junk would get back on your computer.
Safe Mode repair is not my area of expertise, if you will be patient until we get your computer cleaned up, I will do my best to help with that issue.
Make sure you restart the computer and post the results of Smitfraudfix "Clean" function, and a new HJT log so we can get a look at what was hidden. Let me know if SFC helped with the Safe Mode issue.
Thanks...Phil
TheBRAIN33
2006-11-09, 14:37
Mornin' Phil..
I was up bright and early to see what you had for new instructions... I did as you asked and used HJT to remove that old eastlink wizard.. gone.
I tried the sfc / scannow and it ran through BUT asked me for the XP install disc for ONE file. I don't have the disc (thank-you, DELL.. grr :mad: ) so I had to skip that file. Only the one, though... so not too bad. Safe-Mode still boots into a black screen... and now when my screensaver kicks in my computer has a stroke and fails to a shutdown screen where it tells me that" DRIVER_IRQL_NOT_LESS_OR_EQUAL" and furthermore that if it hadn't shut itself down that the computer would have wrecked itself and it performed a memory dump.... oh my G*d, Magnum ! (a la Higgins).. not to worry for now... bigger fish to fry.
I d/l'd the SmitFraud you suggested and got back into my cmd prompt in safe mode and did a clean... results below..
SmitFraudFix v2.119
Scan done at 9:16:28.51, Thu 11/09/2006
Run from C:\Documents and Settings\The Brain\Desktop\smitfraud desk\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Brain
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Brain\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\THEBRA~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
==> the program also generated a registry fix log... I have it if you need .
I renamed HJT to "theBRAIN33" and ran a scan.. the results are:
Logfile of HijackThis v1.99.1
Scan saved at 9:25:40 AM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\The Brain\Desktop\Hijack THIS\TheBRAIN33.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0737507A-535F-74B1-575A-0304475F644C} - C:\WINDOWS\system32\pcboakn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - (no file)
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\jkkihif.dll
O2 - BHO: (no name) - {F81F694F-A503-4ACB-B33D-F8AFCC701A8D} - C:\WINDOWS\system32\awvtu.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll
O20 - Winlogon Notify: jkkihif - C:\WINDOWS\SYSTEM32\jkkihif.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hope this helps... I took the day off today to handle this so you have my undivided attention.
Cheers!
Jeff
pskelley
2006-11-09, 15:30
Hi Jeff, I was in the middle of one when your notification came in, unfortunately, you are not the only infected member this day
I'll look at your feedback first, then the HJT log.
I don't have the disc (thank-you, DELL.. grr ) so I had to skip that file. Only the one, though... so not too bad.It only takes one file to cause the problem, might be good to know the name of that file. You know what your Windows version is, do you have a friend or relative whose CD you can use long enough to extract that file?
Screensavers are no longer needed and have not been for a long time. I would turn it off and discontinue using it were I you. (may even stop the error message? ) That error message: DRIVER_IRQL_NOT_LESS_OR_EQUAL is often hardware related and could account for the missing file? See the Google:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=DRIVER%5fIRQL%5fNOT%5fLESS%5fOR%5fEQUAL
You can see the Vundo infection now, let concentrate on the malware. Once we have a clean computer then we will know what issues we have to address.
Please understand Vundofix can not know the names of files as fast as the hackers change them. Atribune has created a fix that will learn, but you need to watch the fix results to make sure all files it locates "Have Been Deleted" Here we go:
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(hold the logs until we finish)
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(depending on how well the fix works, items may be gone or have "files missing" )
O2 - BHO: (no name) - {0737507A-535F-74B1-575A-0304475F644C} - C:\WINDOWS\system32\pcboakn.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - (no file)
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\jkkihif.dll
O2 - BHO: (no name) - {F81F694F-A503-4ACB-B33D-F8AFCC701A8D} - C:\WINDOWS\system32\awvtu.dll
(check and remove this advanced option if you did not set it)
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll G
O20 - Winlogon Notify: jkkihif - C:\WINDOWS\SYSTEM32\jkkihif.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF-Cleaner again (may slow you until Prefetch is repopulated) and post a new HJT log. Let me know how the computer is running now. The infection is a nasty one!
Thanks...Phil
TheBRAIN33
2006-11-09, 16:31
hey, Phil..
smee again. I performed the operations as you asked ( this is getting fun) I only had one snag.. when I ran scan and "fix" in HJT, one file that you asked to be checked was not present in the scan:
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll G
The vundo remover you sent me seemed to work fine. All files were deleted (one after reboot). ATF ran fine as well.
the latest HJT log follows:
Logfile of HijackThis v1.99.1
Scan saved at 11:23:06 AM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\The Brain\Desktop\Hijack THIS\TheBRAIN33.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\jkkihif.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: jkkihif - C:\WINDOWS\SYSTEM32\jkkihif.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I see that O20 - Winlogon Notify: jkkihif - C:\WINDOWS\SYSTEM32\jkkihif.dll is still hanging around... can I KillBox it, huh canni canni canni puuhhlease ( I just want to exert some hostility on this nasty infection)... I will await further instruction... (as long as I get to kill something... jk)
Cheers!
Jeff
pskelley
2006-11-09, 16:40
I'm sorry Jeff, I should have asked at the end for the Vundofix log, it says it in the fix:
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
This item:
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\jkkihif.dll
O20 - Winlogon Notify: jkkihif - C:\WINDOWS\SYSTEM32\jkkihif.dll
Must be removed by the fix. Run it again and watch for the report to indicate this item has been deleted. It may take several runs. Once this occurs, then post the Vundofix report and a new HJT log.
Killbox will not work on it, we have a couple of others things we can try, but Vundofix is the easiest.
Looks like this is the last of the malware showing in the HJT log.
Thanks
pskelley
2006-11-09, 16:51
Check your private messages:bigthumb:
TheBRAIN33
2006-11-09, 17:21
I'm gettin that happy feelin... :D:
check out the VundoFix log:
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 10:47:09 AM 11/9/2006
Listing files found while scanning....
C:\WINDOWS\system32\pcboakn.dll
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.bak1
C:\WINDOWS\system32\utvwa.bak2
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\utvwa.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pcboakn.dll
C:\WINDOWS\system32\pcboakn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\awvtu.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\utvwa.bak1
C:\WINDOWS\system32\utvwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\utvwa.bak2
C:\WINDOWS\system32\utvwa.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\utvwa.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\utvwa.tmp
C:\WINDOWS\system32\utvwa.tmp Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\awvtu.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 11:52:04 AM 11/9/2006
Listing files found while scanning....
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.bak1
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\awtqp.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\pqtwa.bak1 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\awtqp.dll Has been deleted!
Performing Repairs to the registry.
Done!
and now the latest HJT Log::
Logfile of HijackThis v1.99.1
Scan saved at 12:17:26 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\The Brain\Desktop\Hijack THIS\TheBRAIN33.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {63E0F74B-6976-486A-A238-72B43E48839B} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Those two jkkihif library files seem to be gone....
I replied to my PM ( I think...)
Here's hopin .....
Jeff
pskelley
2006-11-09, 17:38
That's the one that was causing the trouble, let's do this:
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {63E0F74B-6976-486A-A238-72B43E48839B} - C:\WINDOWS\system32\awtqp.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Once System Restore is purged and reset, you can run Kaspersky to see what it has to say, or this free trial according to the instructions that is suggest since it looks for spyware.
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Thanks to John McKenna for the tutorial.
Post the results of what you run so I can have a last look.
Thanks
TheBRAIN33
2006-11-09, 19:37
Hey, Phil...
I purged and reset my System Restore files as per your instructions and ran a Kaspersky total scan... no threats detected.. scan below:
Scan My Computer
----------------
Scanned: 200091
Detected: 0
Untreated: 0
Start time: 11/9/2006 1:20:32 PM
Duration: 00:35:20
Finish time: 11/9/2006 1:55:52 PM
Detected
--------
Status Object
------ ------
Events
------
Time Name Status Reason
---- ---- ------ ------
11/9/2006 1:20:32 PM Running module: smss.exe\smss.exe ok scanned
11/9/2006 1:20:32 PM File: C:\WINDOWS\System32\smss.exe ok iSwift
11/9/2006 1:20:32 PM Running module: smss.exe\ntdll.dll ok scanned
11/9/2006 1:20:32 PM File: C:\WINDOWS\system32\ntdll.dll ok iSwift
11/9/2006 1:20:32 PM Running module: csrss.exe\csrss.exe ok scanned
11/9/2006 1:20:32 PM File: C:\WINDOWS\system32\csrss.exe ok iSwift
11/9/2006 1:20:32 PM Running module: csrss.exe\ntdll.dll ok iChecker
11/9/2006 1:20:32 PM File: C:\WINDOWS\system32\ntdll.dll ok iSwift
11/9/2006 1:20:32 PM Running module: csrss.exe\CSRSRV.dll ok scanned
11/9/2006 1:20:32 PM File: C:\WINDOWS\system32\CSRSRV.dll ok iSwift
11/9/2006 1:20:32 PM Running module: csrss.exe\basesrv.dll ok scanned
11/9/2006 1:20:32 PM File: C:\WINDOWS\system32\basesrv.dll ok iSwift
11/9/2006 1:20:32 PM Running module: csrss.exe\winsrv.dll ok scanned
11/9/2006 1:20:32 PM File: C:\WINDOWS\system32\winsrv.dll ok iSwift
Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archived Compressed Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ---------- ------------------ ---------
Total 200091 0 0 0 0 5182 298 561 2
System Memory 1928 0 0 0 0 0 0 0 0
Startup Objects 2094 0 0 0 0 6 8 0 0
System Restore 37 0 0 0 0 0 0 0 0
Mailboxes 970 0 0 0 0 302 1 0 0
All Hard Drives 195062 0 0 0 0 4874 289 561 2
All Removable Drives 0 0 0 0 0 0 0 0 0
Settings
--------
Name Value
---- -----
Security Level Recommended
Action Prompt for action when the scan is complete
File types All
Scan new and changed files only No
Scan archives All
Scan embedded OLE objects All
Skip if object is greater than No
Skip if scan takes longer than No
Parse e-mail formats No
Scan password-protected archives No
Enable iChecker technology Yes
Kaspersky tells me that we're clean !!
If the above passes your inspection, I'll assume I'm infection free and will diligently follow the advice in the links you sent me for remaining clean.
I'll chase that missing XP file, you've got other clients that need your help; if they're in as deep as I was they'll be glad for your guidance. If I come up absolutely hopeless for fixing my safe-mode, I'll shoot you an e-mail.
Can't thank you guys enough, seriously. Phil, you've been a gentleman and a scholar and I thank you and the S&D team for being available to help.
If you ever find yourself on my little Island in the Atlantic I owe you a beer, drink, tea, coffee whatever suits your fancy.
I'll be singing your parises for a long time to come. :laugh:
See you on-line sometime !
Jeff
pskelley
2006-11-09, 19:43
Sounds good Jeff, you be careful...it is a cyber-jungle out there. If I spot any information about safe-mode repair, I will send it along.
tashi:) can close this topic when time permits.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.