im new here hope im doing this right, sorry if not

[letters4jeff]

i have what i think is called the project1 virus/malware on my computer. it showed up either through msn messenger or i read somewhere else it can be a pop up from a site called porntube. i have sent a logfile done today from hi jack this, i recognize some of the files as being bad because i read about them when i was trying to find info about this virus but i dont know what to delete. any help would sure be appreciated. thank you...........jeff

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

If you want help, follow these directions:

1) Read the instructions posted above and pinned (sticky) to the top of this forum.

All logs should be copy/pasted into topic and not attached unless requested by helper in that format.

2) LimeWire <<< File Sharing, otherwise known as Peer To Peer. (P2P)
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

Uninstall all file sharing programs.

3) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

4) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post only the C:\rapport.txt

Thanks

 

[letters4jeff]

my scan report from smithfraud

SmitFraudFix v2.345

Scan done at 13:08:20.45, Thu 09/04/2008
Run from C:\Documents and Settings\Brooke\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brooke


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brooke\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Brooke\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Applications\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{cac60ee7-ebe0-4082-be2a-3abf704b7af0}"="glycosulfatase"

[HKEY_CLASSES_ROOT\CLSID\{cac60ee7-ebe0-4082-be2a-3abf704b7af0}\InProcServer32]
@="C:\WINDOWS\system32\wighg.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{cac60ee7-ebe0-4082-be2a-3abf704b7af0}\InProcServer32]
@="C:\WINDOWS\system32\wighg.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VM Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.247.15.53
DNS Server Search Order: 24.247.24.53

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[pskelley]

Thanks for returning your information, Smitfraudfix found the infection and it also found this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
After we clean, in the next C:\rapport.txt, there may be a very large hosts file (items starting with 127.0.0.1) and I do not need to see it. Edit (remove) it from the C:\rapport.txt before you post it.

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infected files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the C:\rapport.txt and a new HJT log.

Thanks

 

[letters4jeff]

new smithfraud

here is the report after i deleted the billion and a half 127 filesSmitFraudFix v2.345

Scan done at 20:25:02.20, Thu 09/04/2008
Run from C:\Documents and Settings\Brooke\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brooke


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brooke\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Brooke\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VM Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.247.15.53
DNS Server Search Order: 24.247.24.53

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[pskelley]

here is the report after i deleted the billion and a half 127 filesSmitFraudFix v2.345

All you had to do was highlite them all with your mouse and hit the delete key?

You must read the instructions and follow them if we are to continue!

Clean: Reboot your computer in Safe Mode

Scan done at 20:25:02.20, Thu 09/04/2008
Fix run in normal mode

Post the C:\rapport.txt and a new HJT log.

 

[letters4jeff]

ok i think i did that right, here is the hijack this scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:14, on 9/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1187272160125
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--
End of file - 4474 bytes

 

[letters4jeff]

how do i...

all the 127 files or whateevr they are, how can i delete thos like you say without deleting the rest of the scan results? sorry im not good with computers, im learning but if i was i would have this problem maybe. what are all thos files? how did they get there? is that a normal thing? and how can i prevent this whole deal from happenning again, i have had spybot, hijack this and rising antivirus and avast for yrs before this happenned how did it get past all that?

 

[pskelley]

Listen up, remote repairs like this are not the easiest thing to do and you are struggling with basic computing directions.

I need the HJT log posted in normal mode and you have posted it in:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:14, on 9/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

I need the Smitfraudfix clean function run in Safe Mode and the Hosts file items edited out of the report before you post it.

You will need to get someone with more computer experience to help with this if we are to proceed. As sorry as I feel for you being infected by hackers through no fault of your own, I can not teach computering 101, that is not my "volunteer" job.

Thanks

 

[letters4jeff]

hjt log in normal mode

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:55:09, on 9/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1187272160125
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--
End of file - 5925 bytes

 

[letters4jeff]

smith lof, safe mode

SmitFraudFix v2.345

Scan done at 0:00:35.29, Sat 09/06/2008
Run from C:\Documents and Settings\Brooke\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Brooke\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brooke


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brooke\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Brooke\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

there ya go, sorry for asking questions, i just wanted some simple info on what this all is and how to prevent it. so i dont have to bother you again, ok

 

[letters4jeff]

smitfraud rapport cleaned and run in safe mode

SmitFraudFix v2.345

Scan done at 0:16:52.65, Sat 09/06/2008
Run from C:\Documents and Settings\Brooke\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts





»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F8CE2656-255D-4D88-A7BE-68B2A609D32E}: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.247.15.53 24.247.24.53


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[pskelley]

i just wanted some simple info on what this all is and how to prevent it. so i dont have to bother you again, ok

Before we finish I will provide information from malware/security experts that should answer all of your questions, and it is certainly not a bother. Being a volunteer, if it were I would not do it.

In my first instructions, #3 I asked this:

disable TeaTimer and (leave TT disabled until we finish)

In this HJT log: Scan saved at 23:55:09, on 9/5/2008
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Rising\Rav\Ravmon.exe <<< can you assure me this is a valid, safe program.

Remove (delete) Smitfraudfix from your computer.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Tell me now how the computer is running, any malware issues?

Thanks

 

[letters4jeff]

log file for malware scan

Malwarebytes' Anti-Malware 1.26
Database version: 1119
Windows 5.1.2600 Service Pack 3

9/6/2008 12:17:13 PM
mbam-log-2008-09-06 (12-17-13).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 95941
Time elapsed: 51 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 14
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\x123.x123mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\x123.x123mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{176d799e-6c8c-4d1a-8024-044d96a035e2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Config (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Engines (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Engines\AWBase (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Engines\AWBase\database (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Engines\PGBase (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Engines\plugins (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Graphics (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\LA (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Up (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\AAV (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\120237 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brooke\Local Settings\Temp\NI.UGA6P_0001_N122M2802 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{7AAF2E54-26E2-4CF4-ACD7-01709D1A0B68}\RP95\A0029162.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\al.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\unins000.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Config\pgs.xml (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Dat\Activate.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Dat\BkSites.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Dat\bnlink.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Dat\cd.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Dat\incmp.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Dat\index.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Dat\pv.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Engines\AWBase\vbpv.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Engines\AWBase\database\enemies.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Engines\PGBase\vbpv.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Engines\plugins\vbpv.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Graphics\cross.gif (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Graphics\ga6p.gif (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Graphics\kb.url (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Graphics\Online.url (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Graphics\rm.url (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Graphics\Support.url (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\LA\lapv.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\LA\License.rtf (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Up\ASupdater.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Up\PGupdater.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Up\UBupdater.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Up\up.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\WinSecureAv\Up\updater.dat (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brooke\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brooke\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brooke\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brooke\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

 

[letters4jeff]

latest hjt scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:22, on 9/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Rhapsody\rhapsody.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rhapsody\rhaphlpr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1187272160125
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--
End of file - 6018 bytes

 

[letters4jeff]

wow

that malware scan found 50 infected objects! i think things should be ok now, i am going to restart and see, this is only a temporary computer i am borrowing from my parents because the graphics card went out on mine but with this one, they bought at a employee sale at the local hospitol my dad works at so had no idea about the history of it and their teenage grand daughter downloads things with it so hopefully things are good now. about the rising anti virus program i use, its a chinese program that i had installed way before all this happenned, its highly recommended on alot of sites, like pc world and a few other sites, its worked great so far, better than avast which i also use. but any recommendations you have i am willing to try. thanks

 

[pskelley]

OK, and I give up asking you to disable Teatimer:sad:

Clean infected System Restore files:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

 

[letters4jeff]

ok well...

i thought i disabled tea timer along time ago, so i had no idea it was still on, but i still have problems. when i restart i get a balloon message that says "your computer is at risk, no firewall turned on" it looks fake, not a windows program. also if i try to search using the mozzilla firefox toolbar (google) it says "failed to connect" and the url is internetsearchservice anyway i have been so busy the last few days and i have to leave for a wedding im in soon, i will have to work on it more tommorrow. i will disable tea timer again, i dont know what that even does. thanks for your patience.

 

[pskelley]

I have had probelms getting you to follow directions from the beginning, you never bothered reading them before you posted to start with. When you are ready to follow directions and have the time to work on this cleanup, then follow these directions, but not before. There are other folks waiting for help.

1) Follow these directions if you have no other firewall running on the computer.
http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx


2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

 

[letters4jeff]

tea timer

i turned off tea timer just like you said (i did it early on like you said too) but then i rebooted and checked it again to see if it was still on and it was on again, so i turned it off again and it should still be off, as for combo fix, i have never downloaded or used it at all, so it should not be on this computer (unless you saw it on a logfile and i dont know it) i will have to do the rest tommorrow. sorry ive been keeping you so busy, and i appreciate your time.