stain Posted December 11, 2007 Report Share Posted December 11, 2007 Yo, here's happened to the best of my knowledge. I leave my browser open at night so I can pick up wear i left off the next day, well Saturday morning i got up and there were 44 Internet explorer pages up and I'm a Firefox user. so I close the group down but I still got these click here to download this program to protect you computer, and i may have click ok accidentally a few times in my rush to close them down so now I've got three icons I can't get rid of called " Error Cleaner, Privacy Protector, and Spyware&Malware Potection." And I get Also I have this XP Antivirus 2007, which I did not install, and I did some research and it apparently uses some trojen this to install itsself and since them I have these pop up saying, " Windows has detected an Internet attempt... ect.ect. click here to download spywere remover for total protection". also getting popups for some worm.win32.skynet and I have to click ok to get software to remove it. I know XP antivirus trys to scare you into buying their product so help in get rid of all this is much appreciated. here's the highjackthis llog file.Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 2:39:43 AM, on 12/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\stsystra.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\XP Antivirus\xpa.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Java\jre1.6.0_02\bin\jucheck.exeC:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Kathryn\My Documents\hiJackthis\HiJackThis_v2.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: OFK System - {2B159383-78BB-4D21-A799-95AABC81ACED} - C:\WINDOWS\vipextmst.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: The voipwet - {224E1433-F086-4BB1-B791-AF87F7629D93} - C:\WINDOWS\voipwet.dllO3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKCU\..\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa.exeO4 - Startup: .protectedO4 - Global Startup: .protectedO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO21 - SSODL: jetctrl - {BB340898-ADF4-4A4F-8651-3D67EB937DBD} - C:\WINDOWS\jetctrl.dllO21 - SSODL: kopmet - {CAB03AF9-DA15-41A3-845A-0AAD2F0ECD59} - C:\WINDOWS\kopmet.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeO23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe--End of file - 7055 bytes Link to post Share on other sites
rmurphy Posted December 12, 2007 Report Share Posted December 12, 2007 Welcome to BestTechie! I'm Ryan, and I'll be helping you clean your log.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm-Ryan Link to post Share on other sites
stain Posted December 12, 2007 Author Report Share Posted December 12, 2007 Welcome to BestTechie! I'm Ryan, and I'll be helping you clean your log.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm-RyanHere it is, SmitFraudFix v2.265Scan done at 3:07:26.34, Wed 12/12/2007Run from C:\Documents and Settings\Kathryn\Desktop\SmitfraudFix\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» ProcessC:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\stsystra.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\XP Antivirus\xpa.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Java\jre1.6.0_02\bin\jucheck.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\cmd.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» C:\»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWSC:\WINDOWS\.protected FOUND !C:\WINDOWS\jetctrl.dll FOUND !C:\WINDOWS\kopmet.dll FOUND !C:\WINDOWS\nretcip.exe FOUND !C:\WINDOWS\vipext???.dll FOUND !C:\WINDOWS\voipwet.dll FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kathryn»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kathryn\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Start MenuC:\DOCUME~1\Kathryn\STARTM~1\Programs\Startup\.protected FOUND !C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Kathryn\FAVORI~1C:\DOCUME~1\Kathryn\FAVORI~1\Error Cleaner.url FOUND !C:\DOCUME~1\Kathryn\FAVORI~1\Privacy Protector.url FOUND !C:\DOCUME~1\Kathryn\FAVORI~1\Spyware?Malware Protection.url FOUND !»»»»»»»»»»»»»»»»»»»»»»»» DesktopC:\DOCUME~1\Kathryn\Desktop\Error Cleaner.url FOUND !C:\DOCUME~1\Kathryn\Desktop\Privacy Protector.url FOUND !C:\DOCUME~1\Kathryn\Desktop\Spyware?Malware Protection.url FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\RichVideoCodec\ FOUND !»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]"Source"="About:Home""SubscribedURL"="About:Home""FriendlyName"="My Current Home Page"»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Rustock»»»»»»»»»»»»»»»»»»»»»»»» DNSDescription: Intel® 82566DC Gigabit Network Connection - Packet Scheduler MiniportDNS Server Search Order: 65.32.5.74DNS Server Search Order: 65.32.5.75HKLM\SYSTEM\CCS\Services\Tcpip\..\{73E9FABF-2291-4AC8-AF37-6BABF926612F}: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CS1\Services\Tcpip\..\{73E9FABF-2291-4AC8-AF37-6BABF926612F}: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CS2\Services\Tcpip\..\{73E9FABF-2291-4AC8-AF37-6BABF926612F}: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection»»»»»»»»»»»»»»»»»»»»»»»» End Link to post Share on other sites
rmurphy Posted December 12, 2007 Report Share Posted December 12, 2007 You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root of the system drive, usually at C:\rapport.txtWarning : running option #2 on a non infected computer will remove your Desktop background.-Ryan Link to post Share on other sites
stain Posted December 18, 2007 Author Report Share Posted December 18, 2007 You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root of the system drive, usually at C:\rapport.txtWarning : running option #2 on a non infected computer will remove your Desktop background.-RyanYOSH! Here it is, XP Antivirus is still there though. Meh, I'll get that bugger eventualy. SmitFraudFix v2.265Scan done at 1:53:26.18, Tue 12/18/2007Run from C:\Documents and Settings\Kathryn\Desktop\SmitfraudFix\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» Killing process»»»»»»»»»»»»»»»»»»»»»»»» hosts127.0.0.1 localhost»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 FixS!Ri's WS2Fix: LSP not Found.»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos FixGenericRenosFix by S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected filesC:\WINDOWS\.protected DeletedC:\WINDOWS\jetctrl.dll DeletedDeleting [HKEY_CLASSES_ROOT\CLSID\{BB340898-ADF4-4A4F-8651-3D67EB937DBD}]C:\WINDOWS\kopmet.dll DeletedDeleting [HKEY_CLASSES_ROOT\CLSID\{CAB03AF9-DA15-41A3-845A-0AAD2F0ECD59}]C:\WINDOWS\nretcip.exe DeletedC:\WINDOWS\vipext???.dll DeletedC:\WINDOWS\voipwet.dll DeletedC:\DOCUME~1\Kathryn\STARTM~1\Programs\Startup\.protected DeletedC:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected DeletedC:\DOCUME~1\Kathryn\Desktop\Error Cleaner.url DeletedC:\DOCUME~1\Kathryn\Desktop\Privacy Protector.url DeletedC:\DOCUME~1\Kathryn\Desktop\Spyware?Malware Protection.url DeletedC:\DOCUME~1\Kathryn\FAVORI~1\Error Cleaner.url DeletedC:\DOCUME~1\Kathryn\FAVORI~1\Privacy Protector.url DeletedC:\DOCUME~1\Kathryn\FAVORI~1\Spyware?Malware Protection.url DeletedC:\Program Files\RichVideoCodec\ Deleted»»»»»»»»»»»»»»»»»»»»»»»» DNSHKLM\SYSTEM\CCS\Services\Tcpip\..\{73E9FABF-2291-4AC8-AF37-6BABF926612F}: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CS1\Services\Tcpip\..\{73E9FABF-2291-4AC8-AF37-6BABF926612F}: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CS2\Services\Tcpip\..\{73E9FABF-2291-4AC8-AF37-6BABF926612F}: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Registry CleaningRegistry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» End Link to post Share on other sites
rmurphy Posted December 18, 2007 Report Share Posted December 18, 2007 Please post a new hijack this log and an uninstall list.Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)-Ryan Link to post Share on other sites
stain Posted December 18, 2007 Author Report Share Posted December 18, 2007 Please post a new hijack this log and an uninstall list.Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)-Ryanhighjackthis log:Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 2:11:40 PM, on 12/18/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\stsystra.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\XP Antivirus\xpa.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Kathryn\My Documents\hiJackthis\HiJackThis_v2.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: OFK System - {2B159383-78BB-4D21-A799-95AABC81ACED} - C:\WINDOWS\vipextmst.dll (file missing)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: The voipwet - {224E1433-F086-4BB1-B791-AF87F7629D93} - C:\WINDOWS\voipwet.dll (file missing)O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKCU\..\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeO23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe--End of file - 6578 bytesand unistall list:Ad-Aware 2007Add or Remove Adobe Creative Suite 3 Design StandardAdobe Anchor Service CS3Adobe Asset Services CS3Adobe Bridge CS3Adobe Bridge Start MeetingAdobe BridgeTalk Plugin CS3Adobe Camera Raw 4.0Adobe CMapsAdobe Color - Photoshop SpecificAdobe Color Common SettingsAdobe Color Common SettingsAdobe Color EU Extra SettingsAdobe Color JA Extra SettingsAdobe Color NA Recommended SettingsAdobe Creative Suite 3 Design StandardAdobe Default Language CS3Adobe Device Central CS3Adobe ExtendScript Toolkit 2Adobe ExtendScript Toolkit 2Adobe Flash Player 9 ActiveXAdobe Flash Player 9 PluginAdobe Fonts AllAdobe Help Viewer CS3Adobe Illustrator CS3Adobe InDesign CS3Adobe InDesign CS3 Icon HandlerAdobe Linguistics CS3Adobe MotionPicture Color FilesAdobe PDF Library FilesAdobe Photoshop CS3Adobe SetupAdobe SetupAdobe SetupAdobe Shockwave PlayerAdobe SING CS3Adobe Stock Photos CS3Adobe Type SupportAdobe Update Manager CS3Adobe Version Cue CS3 ClientAdobe Version Cue CS3 Server {ko_KR} Adobe WAS CS3Adobe WinSoft Linguistics PluginAdobe XMP Panels CS3AHV content for Acrobat and FlashApple Mobile Device SupportApple Software UpdateDell Resource CDDivX CodecDivX Content UploaderDivX ConverterDivX PlayerDivX Web PlayerGoogle Toolbar for FirefoxHigh Definition Audio Driver Package - KB835221HijackThis 2.0.0Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB926239)Intel® PRO Network Connections DriversInterActual PlayeriTunesJ2SE Runtime Environment 5.0 Update 4Java 6 Update 2Java 6 Update 3LightWave 3D 9LightWave 3D 9.2LightWave 3D 9.3Microsoft Compression Client Pack 1.0 for Windows XPMicrosoft User-Mode Driver Framework Feature Pack 1.0Mozilla Firefox (2.0.0.11)NVIDIA DriversPDF SettingsPowerDVDQuickTimeSecurity Update for Windows Media Player (KB911564)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 6.4 (KB925398)Security Update for Windows Media Player 9 (KB936782)Security Update for Windows XP (KB890046)Security Update for Windows XP (KB893756)Security Update for Windows XP (KB896358)Security Update for Windows XP (KB896423)Security Update for Windows XP (KB896428)Security Update for Windows XP (KB899587)Security Update for Windows XP (KB899591)Security Update for Windows XP (KB900725)Security Update for Windows XP (KB901017)Security Update for Windows XP (KB901214)Security Update for Windows XP (KB902400)Security Update for Windows XP (KB904706)Security Update for Windows XP (KB905414)Security Update for Windows XP (KB905749)Security Update for Windows XP (KB908519)Security Update for Windows XP (KB911562)Security Update for Windows XP (KB911927)Security Update for Windows XP (KB913580)Security Update for Windows XP (KB914388)Security Update for Windows XP (KB914389)Security Update for Windows XP (KB917344)Security Update for Windows XP (KB917953)Security Update for Windows XP (KB918118)Security Update for Windows XP (KB918439)Security Update for Windows XP (KB919007)Security Update for Windows XP (KB920213)Security Update for Windows XP (KB920670)Security Update for Windows XP (KB920683)Security Update for Windows XP (KB920685)Security Update for Windows XP (KB921503)Security Update for Windows XP (KB922819)Security Update for Windows XP (KB923191)Security Update for Windows XP (KB923414)Security Update for Windows XP (KB923689)Security Update for Windows XP (KB923980)Security Update for Windows XP (KB924270)Security Update for Windows XP (KB924496)Security Update for Windows XP (KB924667)Security Update for Windows XP (KB925902)Security Update for Windows XP (KB926255)Security Update for Windows XP (KB926436)Security Update for Windows XP (KB927779)Security Update for Windows XP (KB927802)Security Update for Windows XP (KB928255)Security Update for Windows XP (KB928843)Security Update for Windows XP (KB929123)Security Update for Windows XP (KB930178)Security Update for Windows XP (KB931261)Security Update for Windows XP (KB931784)Security Update for Windows XP (KB932168)Security Update for Windows XP (KB933729)Security Update for Windows XP (KB935839)Security Update for Windows XP (KB935840)Security Update for Windows XP (KB936021)Security Update for Windows XP (KB937143)Security Update for Windows XP (KB938127)Security Update for Windows XP (KB938829)Security Update for Windows XP (KB939653)Security Update for Windows XP (KB941202)Security Update for Windows XP (KB941568)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB942615)Security Update for Windows XP (KB943460)Security Update for Windows XP (KB944653)Sentinel Protection Installer 7.4.0SigmaTel AudioUpdate for Windows XP (KB894391)Update for Windows XP (KB898461)Update for Windows XP (KB900485)Update for Windows XP (KB908531)Update for Windows XP (KB910437)Update for Windows XP (KB911280)Update for Windows XP (KB916595)Update for Windows XP (KB920872)Update for Windows XP (KB922582)Update for Windows XP (KB927891)Update for Windows XP (KB930916)Update for Windows XP (KB933360)Update for Windows XP (KB936357)Update for Windows XP (KB938828)Update for Windows XP (KB942763)Update for Windows XP (KB942840)VeohTV BETAWindows Installer 3.1 (KB893803)Windows Media Format 11 runtimeWindows Media Format 11 runtimeWindows Media Player 11Windows Media Player 11Windows XP Hotfix - KB873339Windows XP Hotfix - KB885835Windows XP Hotfix - KB885836Windows XP Hotfix - KB886185Windows XP Hotfix - KB887472Windows XP Hotfix - KB888302Windows XP Hotfix - KB890859Windows XP Hotfix - KB891781 Link to post Share on other sites
rmurphy Posted December 18, 2007 Report Share Posted December 18, 2007 Uninstall the following programs:J2SE Runtime Environment 5.0 Update 4Javaâ„¢ 6 Update 2Download ComboFix from one of the locations below, and save it to your Desktop. Link 1Link 2Link 3 Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall-Ryan Link to post Share on other sites
stain Posted December 20, 2007 Author Report Share Posted December 20, 2007 Uninstall the following programs:J2SE Runtime Environment 5.0 Update 4Javaâ„¢ 6 Update 2Download ComboFix from one of the locations below, and save it to your Desktop. Link 1Link 2Link 3 Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall-RyanComboFix: ComboFix 07-12-20.1 - Kathryn 2007-12-19 23:18:38.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.636 [GMT -5:00]Running from: C:\Documents and Settings\Kathryn\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\.protectedC:\WINDOWS\dat.txtC:\WINDOWS\search_res.txtC:\WINDOWS\system32\drivers\etc\.protected.((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 ))))))))))))))))))))))))))))))).2007-12-12 03:07 . 2007-12-18 01:53 1,408 --a------ C:\WINDOWS\system32\tmp.reg2007-12-12 03:06 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe2007-12-12 03:06 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe2007-12-12 03:06 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe2007-12-12 03:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe2007-12-12 03:06 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe2007-12-10 12:14 . 2007-12-10 12:14 <DIR> d-------- C:\Program Files\Lavasoft2007-12-10 12:14 . 2007-12-10 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft2007-12-10 12:13 . 2007-12-10 12:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard2007-12-08 16:14 . 2007-12-08 16:14 <DIR> d-------- C:\Program Files\Enigma Software Group2007-12-08 01:19 . 2007-12-11 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor2007-12-08 01:12 . 2007-12-11 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee2007-12-08 00:54 . 2007-12-08 00:54 <DIR> d-------- C:\Program Files\XP Antivirus2007-12-01 01:44 . 2007-12-01 01:44 <DIR> d-------- C:\Program Files\Veoh Networks2007-11-29 14:03 . 2007-12-18 02:02 7,680 --ahs---- C:\WINDOWS\Thumbs.db.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2007-12-15 06:25 --------- d-----w C:\Program Files\Java2007-12-01 06:45 --------- d--h--w C:\Program Files\InstallShield Installation Information2007-11-29 19:03 --------- d-----w C:\Program Files\Windows Media Connect 22007-11-29 19:03 --------- d-----w C:\Program Files\DivX2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys2007-11-07 20:54 --------- d-----w C:\Program Files\iTunes2007-11-07 20:54 --------- d-----w C:\Program Files\iPod2007-11-07 20:53 --------- d-----w C:\Program Files\QuickTime2007-11-03 05:06 --------- d-----w C:\Documents and Settings\Kathryn\Application Data\DivX2007-11-03 05:06 --------- d-----w C:\Documents and Settings\Kathryn\Application Data\CyberLink2007-11-03 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink2007-11-03 05:04 --------- d-----w C:\Program Files\CyberLink2007-11-03 05:04 --------- d-----w C:\Program Files\Common Files\InstallShield2007-11-02 05:37 --------- d-----w C:\Documents and Settings\Kathryn\Application Data\Apple Computer2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll2007-10-10 18:54 1,251,624 ----a-w C:\WINDOWS\LightWave 3D 9.3 Uninstaller.exe2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B159383-78BB-4D21-A799-95AABC81ACED}] C:\WINDOWS\vipextmst.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]{47833539-D0C5-4125-9FA8-0819E2EAAC93}{224E1433-F086-4BB1-B791-AF87F7629D93}{0BF43445-2F28-4351-9252-17FE6E806AA0}[HKEY_CLASSES_ROOT\clsid\{224e1433-f086-4bb1-b791-af87f7629d93}][HKEY_CLASSES_ROOT\voipwet.ToolBar.1][HKEY_CLASSES_ROOT\TypeLib\{3BFD1271-3C03-4BA5-9893-F597A6CF85E8}][HKEY_CLASSES_ROOT\voipwet.ToolBar][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-11-30 16:31]"XP Antivirus"="C:\Program Files\XP Antivirus\xpa.exe" [2007-12-08 00:54][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 15:00 C:\WINDOWS\stsystra.exe]"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 07:00 C:\WINDOWS\system32\rundll32.exe]"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 15:40]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 02:01]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" [2007-04-27 00:00]*Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 .Contents of the 'Scheduled Tasks' folder"2007-12-05 20:50:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe.**************************************************************************catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2007-12-19 23:20:29Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2007-12-19 23:20:48.2007-12-11 21:07:44 --- E O F --- Highjackthis:Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 11:23:07 PM, on 12/19/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\stsystra.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\XP Antivirus\xpa.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\Kathryn\My Documents\hiJackthis\HiJackThis_v2.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: OFK System - {2B159383-78BB-4D21-A799-95AABC81ACED} - C:\WINDOWS\vipextmst.dll (file missing)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: The voipwet - {224E1433-F086-4BB1-B791-AF87F7629D93} - C:\WINDOWS\voipwet.dll (file missing)O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKCU\..\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeO23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe--End of file - 6579 bytes Link to post Share on other sites
rmurphy Posted December 20, 2007 Report Share Posted December 20, 2007 Please read Grinler's guide to removing XP Antivirus here, and post a HiJack This log in this thread after you have followed the steps outlined in that post.-Ryan Link to post Share on other sites
stain Posted December 21, 2007 Author Report Share Posted December 21, 2007 XP is gone, at the end of the steps they said to get scanned by panda Activescan to check for more things, but to fully remove them you have to buy the software, ignore that part?Anyway here's the log Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 9:07:41 PM, on 12/20/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\stsystra.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Kathryn\My Documents\hiJackthis\HiJackThis_v2.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeO23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe--End of file - 6007 bytes Link to post Share on other sites
rmurphy Posted December 21, 2007 Report Share Posted December 21, 2007 Fix this entry using HiJackThis: O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file). Reboot, and post a new log.How is the computer running?-Ryan Link to post Share on other sites
stain Posted December 21, 2007 Author Report Share Posted December 21, 2007 Lots better, I don't have all that crap popping up all the time or my current window un-selecting itself. real annoying when I'm in modeler/layout and it did that. I still hear the start up sound before the desktop shows but still faster than before. Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 12:17:58 PM, on 12/21/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\stsystra.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\System32\svchost.exeC:\Documents and Settings\Kathryn\My Documents\hiJackthis\HiJackThis_v2.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeO23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe--End of file - 5930 bytes Link to post Share on other sites
rmurphy Posted December 21, 2007 Report Share Posted December 21, 2007 One last scan, then I think you're all set.== Clear Temporary Files ==Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.== Kaspersky Web Scanner ==Please do an online scan with Kaspersky WebScanner You will need to use Internet Explorer to do thisClick on Kaspersky Online ScannerYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.== Request Logs ==Please post the log from the Kaspersky scan.-Ryan Link to post Share on other sites
stain Posted December 22, 2007 Author Report Share Posted December 22, 2007 Here it is, ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Saturday, December 22, 2007 1:18:11 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 22/12/2007 Kaspersky Anti-Virus database records: 491513-------------------------------------------------------------------------------Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: trueScan Target - My Computer: C:\ D:\ E:\ F:\ G:\Scan Statistics: Total number of scanned objects: 153836 Number of viruses found: 6 Number of infected objects: 14 Number of suspicious objects: 0 Duration of the scan process: 00:49:59Infected Object Name / Virus Name / Last ActionC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skippedC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skippedC:\Documents and Settings\Kathryn\Cookies\index.dat Object is locked skippedC:\Documents and Settings\Kathryn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\Kathryn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\Kathryn\Local Settings\History\History.IE5\index.dat Object is locked skippedC:\Documents and Settings\Kathryn\Local Settings\Temp\BITE.tmp Object is locked skippedC:\Documents and Settings\Kathryn\Local Settings\Temp\~DF73D0.tmp Object is locked skippedC:\Documents and Settings\Kathryn\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skippedC:\Documents and Settings\Kathryn\NTUSER.DAT Object is locked skippedC:\Documents and Settings\Kathryn\ntuser.dat.LOG Object is locked skippedC:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skippedC:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skippedC:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skippedC:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skippedC:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skippedC:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skippedC:\Program Files\Veoh Networks\Veoh\client.log Object is locked skippedC:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skippedC:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013651.exe/stream/data0004 Infected: Trojan-Downloader.Win32.Zlob.fco skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013651.exe/stream Infected: Trojan-Downloader.Win32.Zlob.fco skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013651.exe NSIS: infected - 2 skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013652.exe/stream/data0004 Infected: Trojan-Downloader.Win32.Zlob.fco skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013652.exe/stream Infected: Trojan-Downloader.Win32.Zlob.fco skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013652.exe NSIS: infected - 2 skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013653.exe/stream/data0004 Infected: Trojan-Downloader.Win32.Zlob.fco skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013653.exe/stream Infected: Trojan-Downloader.Win32.Zlob.fco skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013653.exe NSIS: infected - 2 skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142\A0013659.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP145\A0014888.dll Infected: not-a-virus:AdWare.Win32.Vapsup.rs skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP145\A0014889.exe Infected: not-a-virus:AdWare.Win32.Vapsup.rz skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP148\A0014977.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.d skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP150\A0015090.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skippedC:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP152\change.log Object is locked skippedC:\WINDOWS\Debug\PASSWD.LOG Object is locked skippedC:\WINDOWS\SchedLgU.Txt Object is locked skippedC:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skippedC:\WINDOWS\Sti_Trace.log Object is locked skippedC:\WINDOWS\system32\CatRoot2\edb.log Object is locked skippedC:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skippedC:\WINDOWS\system32\config\AppEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\default Object is locked skippedC:\WINDOWS\system32\config\default.LOG Object is locked skippedC:\WINDOWS\system32\config\SAM Object is locked skippedC:\WINDOWS\system32\config\SAM.LOG Object is locked skippedC:\WINDOWS\system32\config\SecEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\SECURITY Object is locked skippedC:\WINDOWS\system32\config\SECURITY.LOG Object is locked skippedC:\WINDOWS\system32\config\software Object is locked skippedC:\WINDOWS\system32\config\software.LOG Object is locked skippedC:\WINDOWS\system32\config\SysEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\system Object is locked skippedC:\WINDOWS\system32\config\system.LOG Object is locked skippedC:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skippedC:\WINDOWS\Temp\gnserv.dat Object is locked skippedC:\WINDOWS\Temp\spnserv.dat Object is locked skippedC:\WINDOWS\Temp\spserv.dat Object is locked skippedC:\WINDOWS\wiadebug.log Object is locked skippedC:\WINDOWS\wiaservc.log Object is locked skippedC:\WINDOWS\WindowsUpdate.log Object is locked skippedD:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skippedD:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP152\change.log Object is locked skippedF:\hiberfil.sys Object is locked skippedF:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skippedF:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP152\change.log Object is locked skippedF:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Object is locked skippedScan process completed. Link to post Share on other sites
rmurphy Posted December 22, 2007 Report Share Posted December 22, 2007 How is the computer working?-Ryan Link to post Share on other sites
stain Posted December 22, 2007 Author Report Share Posted December 22, 2007 (edited) no weird crap is happening. downloaded some protection stuff from the recommended list so that slowed the desktop showing up at start up a little bit more. but that won't be a problem once i get a new graphic card for my other computer and i can uninstall some of the programs I've put on this one. Edited December 22, 2007 by bio_hazard Link to post Share on other sites
rmurphy Posted December 22, 2007 Report Share Posted December 22, 2007 Congratulations, your log is clean For information on how to protect yourself in the future, read Infection PreventionDo you have any other questions or concerns? This thread will be left open for a few more days, so feel free to ask.-Ryan Link to post Share on other sites
stain Posted December 22, 2007 Author Report Share Posted December 22, 2007 Avast found some stuff and I put in the chest thing, what do i do with it? Link to post Share on other sites
rmurphy Posted December 23, 2007 Report Share Posted December 23, 2007 Can you tell me what it found and where it was located?-Ryan Link to post Share on other sites
stain Posted December 23, 2007 Author Report Share Posted December 23, 2007 Infected filesName: Origonal location: A0013651.exe C:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142A0013652.exe C:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142A0013653.exe C:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP142A0014888.dll C:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP145A0015987.dll C:\System Volume Information\_restore{E3B75538-F235-488D-A6AE-69E35517AB70}\RP152pskavs.dll C:\WINDOWS\system32\ActiveScan/\||||(corresponding top to bottom)Virus:Win32:zlob-AHQ[Trj]Win32:zlob-AHQ[Trj]Win32:zlob-AHQ[Trj]Win32:Agent-LTS[trj]Win32:CTXWin32:CTXSystem Files:Name: Origonal location:Kernel32.dll C:\WINDOWS\system32winstock.dll C:\WINDOWS\system32wsock.32dll C:\WINDOWS\system32 Link to post Share on other sites
rmurphy Posted December 23, 2007 Report Share Posted December 23, 2007 The first items (except for pskavs.dll, which is a fasle positive) are located in the system restore points. Let's clear those out now.Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point. Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computerKernel32.dll and winstock.dll are both legitimate system files.Just to confirm, is that last file wsock32.dll, or wsock.32dll?-Ryan Link to post Share on other sites
stain Posted December 23, 2007 Author Report Share Posted December 23, 2007 LoL, wsock32.dll, sorry typo. for the stuff thats legit do i just select restore? how do i keep them from being detected again? Link to post Share on other sites
rmurphy Posted December 23, 2007 Report Share Posted December 23, 2007 Wsock32.dll is also legitimate.Windows should be replacing all of those legitimate files that avast is moving. You should be able to tell it to ignore those files.You can also upload those files at http://www.uploadmalware.com and they will be sent to antivirus companies so they can fix their virus definitions.-Ryan Link to post Share on other sites
stain Posted December 24, 2007 Author Report Share Posted December 24, 2007 (edited) so the pskavs.dll is okay even with Avast saying it has Win32:CTX(whatever that is)? Edited December 24, 2007 by bio_hazard Link to post Share on other sites
Recommended Posts