Tabbydaze Posted February 15, 2007 Report Share Posted February 15, 2007 I dont know what the problem is but recently I have noticed bad ram lag an I cant get ad-aware or ewido to open, installed spybot but cant open it - somehow I got ad-aware to stay open after reinstalling today, not sure how but now i cant get it open agian - when i scanned it showed some threats - rmeoved an rebooted an cant get it open agian Any help would be AWESOME I'm freakin out - (also curious what makes a pc make tha tloud noise -like a fan is going 100 mph in there or something.. noticed this recently & have heard that a time or 2 in the past) Heres my log.... Thanks so much to anyone who can help me. Logfile of HijackThis v1.99.1Scan saved at 3:40:14 PM, on 2/15/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\STOPzilla!\STOPzilla.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\AceLogix\Free Ram Optimizer\fro.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\STOPzilla!\SZQuarantine.exeC:\Program Files\HijackThis.exeO2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dllO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cabO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Link to post Share on other sites
Matt Posted February 16, 2007 Report Share Posted February 16, 2007 Hello Tabbydaze.Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report Link to post Share on other sites
Tabbydaze Posted February 16, 2007 Author Report Share Posted February 16, 2007 Heres the scan , Thank you Incident Status Location Adware:adware/securityerror Not disinfected C:\Documents and Settings\Johnston Family\Favorites\Antivirus Test Online.url Adware:adware/bookedspace Not disinfected c:\windows\CFGMGR52.INI Adware:adware/maxifiles Not disinfected c:\program files\common files\Download Virus:Trj/Multidropper.BED Disinfected C:\WINDOWS\SYSTEM32\Setup8823.exe Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\TEMP\ZLT008c1.TMP Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Johnston Family\Local Settings\Temporary Internet Files\Content.IE5\LZRJDL0E\aprotectedpage[1].htm Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt Link to post Share on other sites
Matt Posted February 16, 2007 Report Share Posted February 16, 2007 Please post back with a new HJT log. And give me an update on the symptoms you are now experiencing. Link to post Share on other sites
Tabbydaze Posted February 16, 2007 Author Report Share Posted February 16, 2007 Still losing ram & I just tried agian to open ad-aware an it pops up but i dont get a chance to hit scan before its gone. Trendmicro scanned trojan an after 3 scans it was still coming back with stuff. Logfile of HijackThis v1.99.1Scan saved at 8:55:55 PM, on 2/15/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\AceLogix\Free Ram Optimizer\fro.exeC:\WINDOWS\system32\cidaemon.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HijackThis.exeO2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dllO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Link to post Share on other sites
Matt Posted February 16, 2007 Report Share Posted February 16, 2007 Please go here to upload a suspicious file for analysis. Enter your username from this forumCopy and paste the link to this threadBrowse for this filename: C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exeIn the comments, please mention that I asked you to upload this fileClick on Send FileOpen HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.Download GMER from here:http://www.gmer.net/files.phpUnzip it to the desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.Click on Scan.When the scan has run click Copy and paste the results (if any) into this thread.So, post back with the Uninstall List, and the GMER ReportMatt Link to post Share on other sites
Tabbydaze Posted February 16, 2007 Author Report Share Posted February 16, 2007 K here is hjk uninstall - Ad-Aware SE PersonalAdobe Flash Player 9 ActiveXAdobe Photoshop 7.0Avance AC'97 AudioAVG Free EditionCamera DriverCompuApps SwissKnife V3Digital Cameraewido anti-malwareFree Ram Optimizer XP 1.0Google Toolbar for Internet ExplorerGTK+ 2.8.9 runtime environmentHijackThis 1.99.1Hotfix for Windows XP (KB914440)Hotfix for Windows XP (KB915865)Hotfix for Windows XP (KB926239)Icatch(IV) Camera DriveriTunesJ2SE Runtime Environment 5.0 Update 6Lexmark Z600 SeriesLimeWire 4.12.6Microsoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft National Language Support Downlevel APIsMicrosoft User-Mode Driver Framework Feature Pack 1.0Panda ActiveScanPhoto Explosion SE 2.0Picturetrail Photo Editor 1.6.8QuickTimeRealPlayerRegistry Mechanic 5.1Security Task Manager 1.7Security Update for Windows Media Player (KB911564)Security Update for Windows Media Player 10 (KB911565)Security Update for Windows Media Player 10 (KB917734)Security Update for Windows Media Player 6.4 (KB925398)Security Update for Windows XP (KB890046)Security Update for Windows XP (KB893066)Security Update for Windows XP (KB893756)Security Update for Windows XP (KB896358)Security Update for Windows XP (KB896422)Security Update for Windows XP (KB896423)Security Update for Windows XP (KB896424)Security Update for Windows XP (KB896428)Security Update for Windows XP (KB899587)Security Update for Windows XP (KB899591)Security Update for Windows XP (KB900725)Security Update for Windows XP (KB901017)Security Update for Windows XP (KB901214)Security Update for Windows XP (KB902400)Security Update for Windows XP (KB904706)Security Update for Windows XP (KB905414)Security Update for Windows XP (KB905749)Security Update for Windows XP (KB905915)Security Update for Windows XP (KB908519)Security Update for Windows XP (KB908531)Security Update for Windows XP (KB911280)Security Update for Windows XP (KB911562)Security Update for Windows XP (KB911567)Security Update for Windows XP (KB911927)Security Update for Windows XP (KB912812)Security Update for Windows XP (KB912919)Security Update for Windows XP (KB913446)Security Update for Windows XP (KB913580)Security Update for Windows XP (KB914388)Security Update for Windows XP (KB914389)Security Update for Windows XP (KB916281)Security Update for Windows XP (KB917159)Security Update for Windows XP (KB917344)Security Update for Windows XP (KB917422)Security Update for Windows XP (KB917953)Security Update for Windows XP (KB918439)Security Update for Windows XP (KB918899)Security Update for Windows XP (KB919007)Security Update for Windows XP (KB920213)Security Update for Windows XP (KB920214)Security Update for Windows XP (KB920670)Security Update for Windows XP (KB920683)Security Update for Windows XP (KB920685)Security Update for Windows XP (KB921398)Security Update for Windows XP (KB921883)Security Update for Windows XP (KB922616)Security Update for Windows XP (KB922760)Security Update for Windows XP (KB922819)Security Update for Windows XP (KB923191)Security Update for Windows XP (KB923414)Security Update for Windows XP (KB923694)Security Update for Windows XP (KB923980)Security Update for Windows XP (KB924191)Security Update for Windows XP (KB924270)Security Update for Windows XP (KB924496)Security Update for Windows XP (KB925454)Security Update for Windows XP (KB925486)Security Update for Windows XP (KB926247)Security Update for Windows XP (KB926255)Security Update for Windows XP (KB929969)STOPzilla!TurboTax Deluxe Deduction Maximizer 2006TurboTax ItsDeductible 2006Update for Windows XP (KB894391)Update for Windows XP (KB900485)Update for Windows XP (KB904942)Update for Windows XP (KB910437)Update for Windows XP (KB916595)Update for Windows XP (KB920872)Update for Windows XP (KB922582)Veo StingrayViewpoint Media PlayerWindows Genuine Advantage v1.3.0254.0Windows Installer 3.1 (KB893803)Windows Media Format 11 runtimeWindows Media Format 11 runtimeWindows Media Player 11Windows Media Player 11Windows Support ToolsWindows XP Hotfix - KB873339Windows XP Hotfix - KB885250Windows XP Hotfix - KB885835Windows XP Hotfix - KB885836Windows XP Hotfix - KB886185Windows XP Hotfix - KB887742Windows XP Hotfix - KB888113Windows XP Hotfix - KB888302Windows XP Hotfix - KB890859Windows XP Hotfix - KB891781Windows XP UninstallWinZipYahoo! MessengerYahoo! Photos Easy Upload ToolZoneAlarmHere is GMER - GMER 1.0.12.12027 - http://www.gmer.netRootkit scan 2007-02-15 22:07:23Windows 5.1.2600 Service Pack 2---- System - GMER 1.0.12 ----SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPortSSDT \SystemRoot\System32\vsdatant.sys ZwCreateFileSSDT \SystemRoot\System32\vsdatant.sys ZwCreateKeySSDT \SystemRoot\System32\vsdatant.sys ZwCreatePortSSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessSSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessExSSDT \SystemRoot\System32\vsdatant.sys ZwCreateSectionSSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePortSSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFileSSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKeySSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKeySSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObjectSSDT \SystemRoot\System32\vsdatant.sys ZwLoadKeySSDT \SystemRoot\System32\vsdatant.sys ZwOpenFileSSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcessSSDT \SystemRoot\System32\vsdatant.sys ZwOpenThreadSSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKeySSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPortSSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKeySSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPortSSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFileSSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKeySSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess---- Kernel code sections - GMER 1.0.12 ----.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ B0, BE, 06, F5, C0, 26, 07, ... ].text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ B0, BE, 06, F5, C0, 26, 07, ... ]---- Devices - GMER 1.0.12 ----Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sysDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sysDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sysDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sysDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sysDevice \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sysDevice \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F507DA80] vsdatant.sys---- EOF - GMER 1.0.12 ---- Link to post Share on other sites
Matt Posted February 16, 2007 Report Share Posted February 16, 2007 Welcome back.The file I had you submit turned out to be a keylogger. This means that it is quite likely that a 3rd party has personal information of yours, such as usernames, passwords, etc. Once we are clean, I would highly advise you to change all of your passwords. I would also advise you to keep a close eye on any bank/credit card/paypal/ebay etc accounts that could be compromised.Please scan with HJT and place a check next to the following item:O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exeThen make sure all browser windows and other applications are closed, and click the Fix Checked button.Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.When done, post back with a new HJT log and an update on your symptoms.Matt Link to post Share on other sites
Tabbydaze Posted February 17, 2007 Author Report Share Posted February 17, 2007 Hi I can open ad-aware now & the scan shows some junk - also stopzilla is showing some stuff at start up. Trend micro shows stuff every scan (did 3) - memory is still low. Heres hjk logLogfile of HijackThis v1.99.1Scan saved at 6:05:13 PM, on 2/16/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\AceLogix\Free Ram Optimizer\fro.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\HijackThis.exeO2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dllO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Link to post Share on other sites
Matt Posted February 17, 2007 Report Share Posted February 17, 2007 It looks like you are just about clean. The RAM issue you are experiencing could be unrelated to malware.Please run the F-Secure Online ScannerNote: This Scanner is for Internet Explorer Only!Follow the Instruction Here for installation.Accept the License Agreement.Once the ActiveX installs,Click Full System ScanOnce the download completes,the scan will begin automatically.The scan will take some time to finish,so please be patient.When the scan completes, click the Automatic cleaning (recommended) button.Click the Show Report button and Copy&Paste the entire report in your next reply.Matt Link to post Share on other sites
Tabbydaze Posted February 18, 2007 Author Report Share Posted February 18, 2007 Scanning type: Scan system for viruses, rootkits, spyware Target: C:\ --------------------------------------------------------------------------------Result: 2 malware foundPossible Browser Hijack attempt (spyware) System (Disinfected) W32/Smalldrp.GOJ (virus) C:\WINDOWS\UNINST123.EXE (Submitted) --------------------------------------------------------------------------------StatisticsScanned:Files: 32366 System: 5975 Not scanned: 2 Actions:Disinfected: 1 Renamed: 0 Deleted: 0 None: 1 Submitted: 1 Files not scanned:C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT --------------------------------------------------------------------------------OptionsScanning engines:F-Secure Libra: 2.4.2, 2007-02-14 F-Secure AVP: 7.0.171, 2007-02-17 F-Secure Orion: 1.2.37, 2007-02-16 F-Secure Blacklight: 1.0.53, 0000-00-00 F-Secure Draco: 1.0.35, 2007-02-09 F-Secure Pegasus: 1.19.0, 2007-01-12 Scanning options:Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX Use Advanced heuristics Link to post Share on other sites
Matt Posted February 18, 2007 Report Share Posted February 18, 2007 Please download FileFind from Atribune.Unzip the file and save it to your desktop.To run FileFind, please do the following:Click on FileFind.exeIn the box labeled "Directory"Enter C:\[*]In the box labeled "File"Enter UNINST123.EXE[*]Now click on the "Search" button[*]Once the utility has found the files click on "Export"[*]A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.[*]NOTE: The notepad is saved on your C:\ drive as "Export.txt" Link to post Share on other sites
Tabbydaze Posted February 19, 2007 Author Report Share Posted February 19, 2007 C:\WINDOWS\uninst123.exe - 47030 Bytes Link to post Share on other sites
Matt Posted February 19, 2007 Report Share Posted February 19, 2007 Please go here to upload a suspicious file for analysis. Enter your username from this forumCopy and paste the link to this threadBrowse for this filename: C:\WINDOWS\uninst123.exeIn the comments, please mention that I asked you to upload this fileClick on Send FilePost back when you have done so with an update on your symptoms. After the file is analyzed, we can continue. Link to post Share on other sites
Tabbydaze Posted February 20, 2007 Author Report Share Posted February 20, 2007 Ok sent it in - pc is still the same as in the beginning except that i can open my antivirus scanners now - scans still pull junk Thanks so much for helping on this, Tab Link to post Share on other sites
Matt Posted February 21, 2007 Report Share Posted February 21, 2007 Ok Tabbydaze, the file was analyzed, and it appeared to be clean. Unfortunately, that doesn't help the situation you are currently in. Can you give me any information on what is coming up when you run scans? I am also going to have you run one more scan of mine. Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Please do an online scan with Kaspersky WebScannerNote: this has to be run in Internet ExplorerClick on Kaspersky Online ScannerYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.Post back with the Kaspersky log, and keep me updated on any issues your computer is still having.Matt Link to post Share on other sites
Tabbydaze Posted February 21, 2007 Author Report Share Posted February 21, 2007 Hi - Kaspersky Online Scanner aint workin for me, says something about license key. I'll spend a litle time today doing more scans but seems thatr ad-aware picks a list of stuff up every time - trend micro showed stuff each scan as well - even after 3 scans. I havent been able to get on here an work on it - will try more today an send report in later Thanks so much! Heres stopzilla scan below.....Stopzilla scan - Media-Codec (trojan)hklm\software\microsoft\windows\currentversion\policies\explorer\run\rarehklm\software\microsoft\windows\currentversion\policies\explorer\run\user32.dllAntiVermins (rogue)hklm\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}hklm\software\microsoft\windows\currentversion\shellserviceobjectdelayload\exemplarsMarketScore (spyware,adware)c:\windows\systems32\bsd.exeBrilliantDigital (adware)c:\documents and settings\johnston family\local settings\temporary internet files\content.ie518bw3wr\oscan8[1].cab Link to post Share on other sites
Tabbydaze Posted February 21, 2007 Author Report Share Posted February 21, 2007 ok guess I wont scan, I'm back to not being able to open scanners UGH Can I scan in safe mode maybe? I'm not sure which way to go now..... Link to post Share on other sites
Matt Posted February 21, 2007 Report Share Posted February 21, 2007 Alright, what you gave me has helped a lot! Let's continue!Jotti File Submission:Please go to Jotti's malware scanCopy and paste the following file path into the "File to upload & scan"box on the top of the page:c:\windows\systems32\bsd.exe[*] Click on the submit button[*] Please post the results in your next reply. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):c:\documents and settings\johnston family\local settings\temporary internet files\content.ie518bw3wr\oscan8[1].cab[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Please download SmitfraudFix (by S!Ri) to your Desktop.Double-click SmitfraudFix.exeSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htmFinally, post back with the Jotti Results, and the SmitFraudFix Report.Matt Link to post Share on other sites
Tabbydaze Posted February 23, 2007 Author Report Share Posted February 23, 2007 Hi - can you re-lead me somehow - copied that into jottis, wont open - have no clue where killbox is --- im so overwhelmed at this point that i am in tears... seems i recall using killbox in the start of this? but at this point i am lost. Link to post Share on other sites
Tabbydaze Posted February 23, 2007 Author Report Share Posted February 23, 2007 here is the smitfraud scan. SmitFraudFix v2.144Scan done at 17:28:22.79, Thu 02/22/2007Run from C:\Documents and Settings\Johnston Family\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is FAT32Fix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» C:\»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32C:\WINDOWS\system32\migicons.exe FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Johnston Family»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Johnston Family\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Start Menu»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JOHNST~1\FAVORI~1C:\DOCUME~1\JOHNST~1\FAVORI~1\Antivirus Test Online.url FOUND !C:\DOCUME~1\JOHNST~1\FAVORI~1\Online Security Test.url FOUND !»»»»»»»»»»»»»»»»»»»»»»»» Desktop»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]"Source"="About:Home""SubscribedURL"="About:Home""FriendlyName"="My Current Home Page"»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection»»»»»»»»»»»»»»»»»»»»»»»» End Link to post Share on other sites
Matt Posted February 23, 2007 Report Share Posted February 23, 2007 Alright, no worries. Don't worry about Killbox right now, if we need we can go back to it later. Let's go on ahead.Since you said Jotti wasn't working, we can submit the file to be personally analyzed like the others.Please go here to upload a suspicious file for analysis. Enter your username from this forumCopy and paste the link to this threadBrowse for this filename: c:\windows\systems32\bsd.exeIn the comments, please mention that I asked you to upload this fileClick on Send FileNext:You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, double-click on SmitfraudFix.exeSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root of the system drive, usually at C:\rapport.txtWarning : running option #2 on a non infected computer will remove your Desktop background.Finally, post back with this new SmiFraudFix log, along with a new Stopzilla scan if you can. Matt Link to post Share on other sites
Tabbydaze Posted February 23, 2007 Author Report Share Posted February 23, 2007 I cant find this file - c:\windows\systems32\bsd.exeHere is the smitfraud. Thank you so much for all the help SmitFraudFix v2.144Scan done at 12:15:27.73, Fri 02/23/2007Run from C:\Program Files\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is FAT32Fix run in safe mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» Killing process»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos FixGenericRenosFix by S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected filesC:\WINDOWS\system32\migicons.exe Deleted»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]»»»»»»»»»»»»»»»»»»»»»»»» Registry CleaningRegistry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» End Link to post Share on other sites
Tabbydaze Posted February 23, 2007 Author Report Share Posted February 23, 2007 (edited) here is a jottis scan windows/uninst123.exe. Service load: 0% 100% File: uninst123.exe Status: INFECTED/MALWARE MD5 6190e66131f6740b3c616b1839da5342 Packers detected: - Scanner results Scan taken on 23 Feb 2007 19:50:56 (GMT) AntiVir Found ADSPY/DigInk.F adware ArcaVir Found nothing Avast Found Win32:Trojan-gen. {Other} AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found Adware/DigInk Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found W32/Smalldrp.GOJ VirusBuster Found nothing VBA32 Found nothing Edited February 23, 2007 by Tabbydaze Link to post Share on other sites
Matt Posted February 24, 2007 Report Share Posted February 24, 2007 Alright, let's try again with Killbox.Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINDOWS\uninst123.exe[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Then, please post back a new Stopzilla Scan if possible.Matt Link to post Share on other sites
Recommended Posts