pudgmo Posted December 15, 2007 Report Share Posted December 15, 2007 Hi,I'm getting messages about having spyware when I start ie. the first one is a message box telling me I have W32.Myzor.FK@yf and wanting me to buyt he removal tool. then I get a ballon saying it found Trojan-Spy.Win32@mx and wanting me to buy he removal tool, Help!ThanksLogfile of Trend Micro HijackThis v2.0.2Scan saved at 4:36:14 PM, on 12/15/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\Video Add-on\icthis.exeC:\Program Files\Video Add-on\isfmntr.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\zHotkey.exeC:\Program Files\Video Add-on\isfmm.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeH:\My Music\iTunes\iTunesHelper.exeD:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeD:\Program Files\QUICKEN2007\QWDLLS.EXED:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\svchost.exeD:\Backup\Down Load\HJTInstall.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014} - C:\Program Files\Video Add-on\isfmdl.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO3 - Toolbar: IE Custom Tools - {F2BADA0D-FD61-45EF-A994-64A073FD6613} - C:\Program Files\Video Add-on\ictmdl.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [CHotkey] zHotkey.exeO4 - HKLM\..\Run: [showWnd] ShowWnd.exeO4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exeO4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exeO4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXEO4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 7052 bytes Link to post Share on other sites
Andro1d Posted December 16, 2007 Report Share Posted December 16, 2007 Hello and Welcome to BT. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. Please download SmitfraudFix (by S!Ri) to your Desktop.Double-click SmitfraudFix.exeSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm Link to post Share on other sites
pudgmo Posted December 16, 2007 Author Report Share Posted December 16, 2007 (edited) SmitfraudFix (by S!Ri) to your Desktop.Thanks for helping MoNsTeR!When I click on...http://siri.urz.free.fr/Fix/SmitfraudFix.exeI get 'Internet explorer cannot display webpage.'I tried http://siri.urz.free.fr and clicked on smitfraudfix, same result.Edit: BTW it has also hijaked my homepage to http://iesecurepages.com/redirect.phpEdit II: I ran ms malicious software removal tool from http://www.microsoft.com/security/malwareremove/default.mspxThat seems to have gotten rid of the messages (and the hijack).I re ran hjt, here's the logRegardsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 9:03:16 AM, on 12/16/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\zHotkey.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeH:\My Music\iTunes\iTunesHelper.exeD:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeD:\Program Files\QUICKEN2007\QWDLLS.EXED:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\svchost.exeD:\Backup\Down Load\HJTInstall.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [CHotkey] zHotkey.exeO4 - HKLM\..\Run: [showWnd] ShowWnd.exeO4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exeO4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXEO4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 6500 bytes Edited December 16, 2007 by pudgmo Link to post Share on other sites
Andro1d Posted December 16, 2007 Report Share Posted December 16, 2007 Hello,If you have a differnent browser installed, try downloading it through it.If not try the following, then retry the download.Download the HostsXpert 4.2 - Hosts File Manager.Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File ManagerRun HostsXpert 4.2 - Hosts File Manager from its new homeClick on "File Handling".Click on "Restore MS Hosts File".Click OK on the Confirmation box.Click on "Make Read Only?"Click the X to exit the program.Note: If you were using a custom Hosts file you will need to replace any of those entries yourself. Link to post Share on other sites
pudgmo Posted December 16, 2007 Author Report Share Posted December 16, 2007 (edited) Thanks,I ran HostsXpert with all the steps. Same result with smitfraudfix. I also tried it with firefox.Edit: I shutdown zone alarm and got smitfraudfix, here's the log.SmitFraudFix v2.269Scan done at 12:50:19.92, Sun 12/16/2007Run from C:\Program Files\Mozilla Firefox\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» ProcessC:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\zHotkey.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeH:\My Music\iTunes\iTunesHelper.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeD:\Program Files\QUICKEN2007\QWDLLS.EXEC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\cmd.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» C:\»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32C:\WINDOWS\system32\wowlze.dll FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Start MenuC:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1»»»»»»»»»»»»»»»»»»»»»»»» Desktop»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\Helper\ FOUND !C:\Program Files\Video Add-on\ FOUND !»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]"Source"="About:Home""SubscribedURL"="About:Home""FriendlyName"="My Current Home Page"»»»»»»»»»»»»»»»»»»»»»»»» IEDFix!!!Attention, following keys are not inevitably infected!!!»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Rustock»»»»»»»»»»»»»»»»»»»»»»»» DNSDescription: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler MiniportDNS Server Search Order: 192.168.0.1DNS Server Search Order: 205.171.3.65HKLM\SYSTEM\CCS\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CS1\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CS2\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection»»»»»»»»»»»»»»»»»»»»»»»» End Edited December 16, 2007 by pudgmo Link to post Share on other sites
Andro1d Posted December 18, 2007 Report Share Posted December 18, 2007 Glad you got it to work!You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, double-click on SmitfraudFix.exeSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root of the system drive, usually at C:\rapport.txtWarning : running option #2 on a non infected computer will remove your Desktop background. Link to post Share on other sites
pudgmo Posted December 18, 2007 Author Report Share Posted December 18, 2007 Thanks!I followed the steps, it didn't ask to replace wininet.dll, it did launch disk cleanup 2X's??? Also it did remove my desktop background. here are the results from rapport.txt...SmitFraudFix v2.269Scan done at 7:05:46.31, Tue 12/18/2007Run from C:\Documents and Settings\Owner\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» Killing process»»»»»»»»»»»»»»»»»»»»»»»» hosts127.0.0.1 localhost»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 FixS!Ri's WS2Fix: LSP not Found.»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos FixGenericRenosFix by S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected filesC:\WINDOWS\system32\wowlze.dll DeletedC:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url DeletedC:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url DeletedC:\Program Files\Helper\ DeletedC:\Program Files\Video Add-on\ Deleted»»»»»»»»»»»»»»»»»»»»»»»» DNSHKLM\SYSTEM\CCS\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CS1\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CS2\Services\Tcpip\..\{2D3F4D4E-306E-47F7-806B-7A969424972C}: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Registry CleaningRegistry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» End Link to post Share on other sites
Andro1d Posted December 19, 2007 Report Share Posted December 19, 2007 Hey,Please download Deckard's System Scanner (DSS) to your desktop.Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts.When the scan is complete, a text file will open - Main.txtCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.Please go to that folder and also copy the contents of Extra.txt to your post as well.Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Link to post Share on other sites
pudgmo Posted December 20, 2007 Author Report Share Posted December 20, 2007 Main.txt:Deckard's System Scanner v20071014.68Run by Owner on 2007-12-20 17:25:07Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --67: 2007-12-20 23:25:11 UTC - RP103 - Deckard's System Scanner Restore Point66: 2007-12-20 16:19:21 UTC - RP102 - System Checkpoint65: 2007-12-19 15:19:22 UTC - RP101 - System Checkpoint64: 2007-12-18 14:41:51 UTC - RP100 - System Checkpoint63: 2007-12-16 22:14:14 UTC - RP99 - System Checkpoint-- First Restore Point -- 1: 2007-09-22 00:15:46 UTC - RP37 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Owner.exe) -----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:26:27 PM, on 12/20/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\zHotkey.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeH:\My Music\iTunes\iTunesHelper.exeD:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeD:\Program Files\QUICKEN2007\QWDLLS.EXED:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeD:\Backup\Down Load\dss.exeD:\Backup\DOWNLO~1\Owner.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [CHotkey] zHotkey.exeO4 - HKLM\..\Run: [showWnd] ShowWnd.exeO4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exeO4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXEO4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 5729 bytes-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R0 PQV2i - c:\windows\system32\drivers\pqv2i.sys <Not Verified; StorageCraft; V2i Protector>R1 PQIMount - c:\windows\system32\drivers\pqimount.sys <Not Verified; PowerQuest Corporation; V2i Protector>R3 SunkFilt (Alcor Micro Corp Reader) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>-- Device Manager: Disabled ----------------------------------------------------No disabled devices found.-- Scheduled Tasks -------------------------------------------------------------2007-12-14 09:40:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job-- Files created between 2007-11-20 and 2007-12-20 -----------------------------2007-12-18 07:05:03 0 d-------- C:\Documents and Settings\Owner\SmitfraudFix2007-12-16 12:50:23 3712 --a------ C:\WINDOWS\system32\tmp.reg2007-12-16 12:48:10 1125659 --a------ C:\SmitfraudFix.exe2007-12-16 12:41:15 0 d-------- C:\HostsXpert2007-12-16 12:34:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla2007-12-15 11:41:23 0 d-------- C:\Program Files\WinSpyKiller2007-11-30 18:53:15 0 d-------- C:\Documents and Settings\Owner\Application Data\iWin2007-11-30 18:25:00 0 d-------- C:\Program Files\Alawar2007-11-29 08:11:53 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier2007-11-29 07:25:04 0 d-------- C:\sj7002007-11-29 07:19:51 53248 --a------ C:\WINDOWS\system32\hpsjusd.dll <Not Verified; Hewlett-Packard Company; Hewlett-Packard Hpsjusd>2007-11-29 07:19:51 32768 --a------ C:\WINDOWS\system32\hpsjrreg.exe <Not Verified; Hewlett-Packard; HPSJRREG Application>2007-11-29 07:19:43 0 d-------- C:\sj6532007-11-29 07:19:20 0 d-------- C:\sj4072007-11-29 07:11:50 1080 --a------ C:\WINDOWS\AUTOLNCH.REG2007-11-29 07:11:48 350208 --a------ C:\WINDOWS\system32\ltkrn70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:48 55296 --a------ C:\WINDOWS\system32\ltfil70n.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:48 93184 --a------ C:\WINDOWS\system32\lftif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:48 111104 --a------ C:\WINDOWS\system32\lfpng70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:48 24576 --a------ C:\WINDOWS\system32\lfpcx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:48 95232 --a------ C:\WINDOWS\system32\Lfkodak.dll2007-11-29 07:11:48 32768 --a------ C:\WINDOWS\system32\lfgif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:48 35328 --a------ C:\WINDOWS\system32\lffpx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:48 306688 --a------ C:\WINDOWS\system32\Lffpx7.dll <Not Verified; ; Reference Implementation>2007-11-29 07:11:48 55808 --a------ C:\WINDOWS\system32\lffax70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:48 224768 --a------ C:\WINDOWS\system32\LFCMP70n.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:48 24576 --a------ C:\WINDOWS\system32\lfbmp70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>2007-11-29 07:11:47 13824 --a------ C:\WINDOWS\system32\reg32.dll <Not Verified; Hewlett-Packard, GHC; Hewlett-Packard, GHC reg32>2007-11-29 07:11:47 12288 --a------ C:\WINDOWS\system32\hpsmui.dll <Not Verified; Hewlett-Packard; HPSCNMGR Dynamic Link Library>2007-11-29 07:11:47 16384 --a------ C:\WINDOWS\system32\hpsj32.dll <Not Verified; Hewlett-Packard Company; HP ScanJet Scanners>2007-11-29 07:11:47 928 --a------ C:\WINDOWS\system32\hpsj1695.dll2007-11-29 07:11:47 417792 --a------ C:\WINDOWS\system32\hpscntst.dll <Not Verified; Hewlett-Packard; HP ScanJet Scanner Test>2007-11-29 07:11:47 245760 --a------ C:\WINDOWS\system32\hpscnmgr.dll <Not Verified; Hewlett-Packard; HPSCNMGR Dynamic Link Library>2007-11-29 07:11:46 669696 --a------ C:\WINDOWS\system32\ipeistor11.dll <Not Verified; Hewlett-Packard Company; IPEISTOR Dynamic Link Library>2007-11-29 07:11:45 325120 --a------ C:\WINDOWS\system32\ipebase11.dll <Not Verified; Hewlett-Packard Company; IPEBASE Dynamic Link Library>2007-11-29 07:11:45 66560 --a------ C:\WINDOWS\system32\ipeapi11.dll <Not Verified; Hewlett-Packard Company; IPEAPI Dynamic Link Library>2007-11-29 07:11:37 0 d-------- C:\SCANJET2007-11-29 07:11:25 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>2007-11-29 07:11:08 0 d-------- C:\sj3982007-11-29 06:06:46 0 d-------- C:\sj404to2007-11-27 06:08:05 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.22007-11-23 11:26:17 0 d-------- C:\Program Files\QuickTime-- Find3M Report ---------------------------------------------------------------2007-12-19 23:51:01 16 --a------ C:\WINDOWS\popcinfo.dat2007-12-19 23:39:47 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat2007-12-15 16:12:42 0 d-------- C:\Program Files\Google2007-11-29 08:16:59 0 d-------- C:\Documents and Settings\Owner\Application Data\MailFrontier2007-11-24 11:31:05 512 --a------ C:\ScanSectorLog.dat2007-11-23 11:29:32 0 d-------- C:\Program Files\iPod2007-10-23 05:47:17 0 d-------- C:\Program Files\Java-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 12:04 PM]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]"CHotkey"="zHotkey.exe" [05/17/2004 07:30 PM C:\WINDOWS\zHotkey.exe]"ShowWnd"="ShowWnd.exe" [09/19/2003 10:09 AM C:\WINDOWS\ShowWnd.exe]"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [11/15/2004 04:04 PM]"@"="" []"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/17/2005 10:05 PM]"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 09:24 PM]"SoundMan"="SOUNDMAN.EXE" [12/01/2004 05:54 PM C:\WINDOWS\SOUNDMAN.EXE]"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [11/10/2004 10:03 AM]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/14/2007 11:43 PM]"iTunesHelper"="H:\My Music\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM]"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []"hpsjbmgr"="C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe" []"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 01:00 PM]"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [11/22/2004 04:18 PM]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/9/2007 4:14:36 PM]Billminder.lnk - D:\Program Files\QUICKEN2007\BILLMIND.EXE [9/1/2007 11:52:49 AM]Quicken Startup.lnk - D:\Program Files\QUICKEN2007\QWDLLS.EXE [9/1/2007 11:52:54 AM][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38ca64f9-5a93-11dc-b56e-0013d32d4d40}]AutoRun\command- M:\LaunchU3.exe -a-- End of Deckard's System Scanner: finished at 2007-12-20 17:27:06 ------------extra.txtDeckard's System Scanner v20071014.68Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft Windows XP Professional (build 2600) SP 2.0Architecture: X86; Language: EnglishCPU 0: AMD Athlon 64 Processor 3400+Percentage of Memory in Use: 50%Physical Memory (total/avail): 894.48 MiB / 445.64 MiBPagefile Memory (total/avail): 2166.25 MiB / 1758.3 MiBVirtual Memory (total/avail): 2047.88 MiB / 1919.31 MiBC: is Fixed (NTFS) - 182.1 GiB total, 92.81 GiB free. D: is Fixed (FAT32) - 18.67 GiB total, 15.48 GiB free. E: is Fixed (FAT32) - 4.2 GiB total, 1.01 GiB free. F: is CDROM (No Media)G: is CDROM (No Media)H: is Fixed (FAT32) - 153.35 GiB total, 79.37 GiB free. I: is Removable (No Media)J: is Removable (No Media)K: is Removable (No Media)L: is Removable (No Media)\\.\PHYSICALDRIVE1 - SAMSUNG SV2001H - 18.68 GiB - 1 partition \PARTITION0 (bootable) - Unknown - 18.68 GiB - D:\\.\PHYSICALDRIVE0 - ST3200021A - 186.31 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 182.1 GiB - C: \PARTITION1 - Unknown - 4.21 GiB - E:\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device\\.\PHYSICALDRIVE6 - HDS72251 6VLAT20 USB Device - 153.38 GiB - 1 partition \PARTITION0 (bootable) - Unknown - 153.38 GiB - H:-- Security Center -------------------------------------------------------------AUOptions is scheduled to auto-install.Windows Internal Firewall is disabled.FirstRunDisabled is set.FW: ZoneAlarm Security Suite Firewall v7.0.462.000 (Check Point, LTD.)AV: ZoneAlarm Security Suite Antivirus v7.0.462.000 (Check Point, LTD.)[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger""H:\\My Music\\iTunes\\iTunes.exe"="H:\\My Music\\iTunes\\iTunes.exe:*:Enabled:iTunes"-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All UsersAPPDATA=C:\Documents and Settings\Owner\Application DataCLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zipCLIENTNAME=ConsoleCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=600539OO9ComSpec=C:\WINDOWS\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Documents and Settings\OwnerLOGONSERVER=\\600539OO9NUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;"D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 0, AuthenticAMDPROCESSOR_LEVEL=15PROCESSOR_REVISION=2c00ProgramFiles=C:\Program FilesPROMPT=$P$GQTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zipSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WINDOWSTEMP=C:\DOCUME~1\Owner\LOCALS~1\TempTMP=C:\DOCUME~1\Owner\LOCALS~1\Temptvdumpflags=8USERDOMAIN=600539OO9USERNAME=OwnerUSERPROFILE=C:\Documents and Settings\Ownerwindir=C:\WINDOWS-- User Profiles ---------------------------------------------------------------Owner (admin)Administrator (admin)-- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.infAdobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exeAdobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A70000000000}Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exeATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe" ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -cleanCanon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoRecord\Uninst.isu" -c"C:\Program Files\Canon\PhotoRecord\Program\uninstdll.dll"Canon PowerShot A40 WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PowerShot A40 WIA\Uninst.isu" -c"C:\Program Files\Canon\PowerShot A40 WIA\UNSTD113.dll"Canon Utilities PhotoStitch 3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoStitch\Uninst.isu"Canon Utilities RAW Image Converter --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RAW Image Converter\Uninst.isu"Canon Utilities RemoteCapture 2.2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RemoteCapture\Uninst.isu"Canon Utilities ZoomBrowser EX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ZoomBrowser EX\Uninst.isu" -c"C:\Program Files\Canon\ZoomBrowser EX\Program\uninstallutilities.dll"Citrix Presentation Server Client --> MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1} HijackThis 2.0.2 --> "D:\Backup\Down Load\HijackThis.exe" /uninstallHP PrecisionScan LT Software --> C:\SCANJET\PrecisionScanLT\uninstal.exe C:\SCANJET\PrecisionScanLT\uninstal.cfgiPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033 iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}Java 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}Java 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /UMicrosoft Links LS 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft Games\Links LS 2000\Uninst.isu"Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}Microsoft Picture It! Premium 10 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREMMicrosoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exeMultimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\Setup.exe" -l0x9 MultiMedia Software --> C:\Program Files\Video Add-on\uninst.exeNapster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Setup.exe" -l0x9 Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALLNero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALLNorton Ghost 9.0 --> MsiExec.exe /X{3C759736-8347-4031-BB9C-D75ADFE6B101}PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstallQuicken 2002 Basic --> C:\WINDOWS\IsUninst.exe -f"D:\Program Files\QUICKEN2007\Uninst.isu" -c"D:\Program Files\QUICKEN2007\uninst.dll"QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVERecovery Software Suite eMachines --> MsiExec.exe /I{15377C3E-9655-400F-B441-E69F0A6BEAFE}Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.infSonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) --> Windows XP Media Center Edition 2005 KB890629 --> Windows XP Media Center Edition 2005 KB890760 --> Windows XP Media Center Edition 2005 KB895198 --> Windows XP Media Center Edition 2005 KB895678 --> ZoneAlarm Security Suite --> D:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe-- Application Event Log -------------------------------------------------------Event Record #/Type379 / ErrorEvent Submitted/Written: 12/16/2007 06:47:05 AMEvent ID/Source: 1001 / Application ErrorEvent Description:Fault bucket 00000009.The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.Event Record #/Type378 / ErrorEvent Submitted/Written: 12/16/2007 06:47:00 AMEvent ID/Source: 1000 / Application ErrorEvent Description:Faulting application iexplore.exe, version 7.0.6000.16574, faulting module mscorie.dll, version 1.1.4322.2407, fault address 0x00005c80.Processing media-specific event for [iexplore.exe!ws!]Event Record #/Type349 / ErrorEvent Submitted/Written: 12/09/2007 11:11:02 AMEvent ID/Source: 1002 / Application HangEvent Description:Hanging application JewelQuest.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.Event Record #/Type348 / ErrorEvent Submitted/Written: 12/09/2007 11:10:52 AMEvent ID/Source: 1001 / Application HangEvent Description:Fault bucket 110758212.Event Record #/Type347 / ErrorEvent Submitted/Written: 12/09/2007 11:10:43 AMEvent ID/Source: 1001 / Application HangEvent Description:Fault bucket 110758212.-- Security Event Log ----------------------------------------------------------No Errors/Warnings found.-- System Event Log ------------------------------------------------------------Event Record #/Type2397 / WarningEvent Submitted/Written: 12/18/2007 09:57:35 PMEvent ID/Source: 36 / W32TimeEvent Description:The time service has not been able to synchronize the system timefor 49152 seconds because none of the time providers has been able toprovide a usable time stamp. The system clock is unsynchronized.Event Record #/Type2374 / ErrorEvent Submitted/Written: 12/18/2007 07:15:52 AMEvent ID/Source: 7000 / Service Control ManagerEvent Description:The ASPI32 service failed to start due to the following error: %%2Event Record #/Type2370 / ErrorEvent Submitted/Written: 12/18/2007 07:14:19 AMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""in order to run the server:{1BE1F766-5536-11D1-B726-00C04FB926AF}Event Record #/Type2369 / ErrorEvent Submitted/Written: 12/18/2007 07:06:36 AMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1084" attempting to start the service netman with arguments ""in order to run the server:{BA126AE5-2166-11D1-B1D0-00805FC1270E}Event Record #/Type2368 / ErrorEvent Submitted/Written: 12/18/2007 07:06:34 AMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""in order to run the server:{A1F4E726-8CF1-11D1-BF92-0060081ED811}-- End of Deckard's System Scanner: finished at 2007-12-20 17:27:06 ------------Thanks again! Link to post Share on other sites
Andro1d Posted December 22, 2007 Report Share Posted December 22, 2007 Hello,I am very sorry but I am going on vacation, and I have asked someone else to take this log for me.Good luck, and thanks for your cooperation.MoNsTeReNeRgY22 Link to post Share on other sites
sarahw Posted December 22, 2007 Report Share Posted December 22, 2007 Hi,I will be handling your log now that MoNsTeReNeRgY22 is on vacation. Please give me some time to look it over and I will get back to you as soon as possible.I want you to show hidden files. There are instructions HERE to help you do this.You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time. Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. Link to post Share on other sites
sarahw Posted December 25, 2007 Report Share Posted December 25, 2007 (edited) Hi,As its been a few days, please post another Hijack This log. This is because your computers condition may have changed. Edited December 25, 2007 by sarahw Link to post Share on other sites
pudgmo Posted December 25, 2007 Author Report Share Posted December 25, 2007 Hi, Sorry it took so long. I'm showing hidden and system files...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:15:01 AM, on 12/25/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\zHotkey.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeH:\My Music\iTunes\iTunesHelper.exeD:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeD:\Program Files\QUICKEN2007\QWDLLS.EXED:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeD:\Backup\Down Load\HJTInstall.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [CHotkey] zHotkey.exeO4 - HKLM\..\Run: [showWnd] ShowWnd.exeO4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exeO4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXEO4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 5753 bytes Link to post Share on other sites
sarahw Posted December 26, 2007 Report Share Posted December 26, 2007 Download ComboFix from Here or Here to your Desktop.Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall Link to post Share on other sites
pudgmo Posted December 26, 2007 Author Report Share Posted December 26, 2007 It say's combofix.exe is not a valid win32 application. Link to post Share on other sites
sarahw Posted December 27, 2007 Report Share Posted December 27, 2007 Delete that version, and download it from the other link. Link to post Share on other sites
pudgmo Posted December 28, 2007 Author Report Share Posted December 28, 2007 That did it...ComboFix 07-12-21.4 - Owner 2007-12-27 18:53:37.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.474 [GMT -6:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).E:\Autorun.inf.((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 ))))))))))))))))))))))))))))))).2007-12-20 17:24 . 2007-12-20 17:24 <DIR> d-------- C:\Deckard2007-12-18 07:05 . 2007-12-18 07:06 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix2007-12-16 12:50 . 2007-12-18 07:05 3,712 --a------ C:\WINDOWS\system32\tmp.reg2007-12-16 12:48 . 2007-12-16 12:49 1,125,659 --a------ C:\SmitfraudFix.exe2007-12-16 12:41 . 2007-12-16 12:41 <DIR> d-------- C:\HostsXpert2007-12-15 11:41 . 2007-12-15 16:10 <DIR> d-------- C:\Program Files\WinSpyKiller2007-11-30 18:53 . 2007-11-30 18:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin2007-11-30 18:25 . 2007-12-15 16:08 <DIR> d-------- C:\Program Files\Alawar2007-11-29 08:11 . 2007-12-02 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier2007-11-29 07:25 . 2007-11-29 07:25 <DIR> d-------- C:\sj7002007-11-29 07:19 . 2007-11-29 07:22 <DIR> d-------- C:\sj6532007-11-29 07:19 . 2007-11-29 07:19 <DIR> d-------- C:\sj4072007-11-29 07:19 . 2001-10-16 10:20 53,248 --a------ C:\WINDOWS\system32\hpsjusd.dll2007-11-29 07:19 . 2001-10-16 10:20 32,768 --a------ C:\WINDOWS\system32\hpsjrreg.exe2007-11-29 07:17 . 2007-12-26 14:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn2007-11-29 07:17 . 2007-11-29 07:17 1,409 --a------ C:\WINDOWS\QTFont.for2007-11-29 06:06 . 2007-11-29 06:06 <DIR> d-------- C:\sj404to.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2007-12-28 00:56 7,363,360 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat2007-12-26 20:26 99,308 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx2007-12-15 22:12 --------- d-----w C:\Program Files\Google2007-11-29 14:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\MailFrontier2007-11-27 12:08 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.22007-11-26 12:47 17,393,684 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_25_22_03_50_full.dmp.zip2007-11-26 12:46 2,217,469 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip2007-11-26 12:46 17,139,898 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_25_22_03_37_full.dmp.zip2007-11-24 17:31 512 ----a-w C:\ScanSectorLog.dat2007-11-23 17:29 --------- d-----w C:\Program Files\iPod2007-11-23 17:27 --------- d-----w C:\Program Files\QuickTime2007-11-22 18:03 17,152,223 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_19_20_05_00_full.dmp.zip2007-11-14 22:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll2007-09-02 12:12 774,144 ----a-w C:\Program Files\RngInterstitial.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 16:18][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 12:04]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]"CHotkey"="zHotkey.exe" [2004-05-17 19:30 C:\WINDOWS\zHotkey.exe]"ShowWnd"="ShowWnd.exe" [2003-09-19 10:09 C:\WINDOWS\ShowWnd.exe]"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 16:04]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 22:05]"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]"SoundMan"="SOUNDMAN.EXE" [2004-12-01 17:54 C:\WINDOWS\SOUNDMAN.EXE]"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-10 10:03]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]"iTunesHelper"="H:\My Music\iTunes\iTunesHelper.exe" [2007-11-15 13:11]"hpsjbmgr"="C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe" []"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 16:14:36]Billminder.lnk - D:\Program Files\QUICKEN2007\BILLMIND.EXE [2007-09-01 11:52:49]Quicken Startup.lnk - D:\Program Files\QUICKEN2007\QWDLLS.EXE [2007-09-01 11:52:54][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.themeR0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-11-10 09:30]R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 09:49]R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38ca64f9-5a93-11dc-b56e-0013d32d4d40}]\Shell\AutoRun\command - M:\LaunchU3.exe -a*Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 .Contents of the 'Scheduled Tasks' folder"2007-12-21 15:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe.**************************************************************************catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2007-12-27 18:56:41Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2007-12-27 18:57:36.2007-12-12 12:27:42 --- E O F --- _____________________________________________________________________________HJT log...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:00:14 PM, on 12/27/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\zHotkey.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeH:\My Music\iTunes\iTunesHelper.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeD:\Program Files\QUICKEN2007\QWDLLS.EXEC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Real\RealArcade\RNArcade.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeD:\Backup\Down Load\HJTInstall.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [CHotkey] zHotkey.exeO4 - HKLM\..\Run: [showWnd] ShowWnd.exeO4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exeO4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXEO4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 5637 bytes Link to post Share on other sites
sarahw Posted December 29, 2007 Report Share Posted December 29, 2007 1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::C:\WINDOWS\QTFont.qfnC:\WINDOWS\QTFont.forFolder::C:\sj700C:\sj653C:\sj407C:\sj404to3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.Please tell me how the computer is running. Link to post Share on other sites
pudgmo Posted December 29, 2007 Author Report Share Posted December 29, 2007 The computer seems to be running fine now, Thanks!ComboFix 07-12-21.4 - Owner 2007-12-29 6:44:45.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.489 [GMT -6:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exeCommand switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore pointFILEC:\WINDOWS\QTFont.forC:\WINDOWS\QTFont.qfn.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\sj404toC:\sj404to\hpcd.sjpC:\sj404to\setup.exeC:\sj404to\usdsloc.dllC:\sj407C:\sj407\ipesrcs.srcC:\sj407\Setup.exeC:\sj407\updatloc.dllC:\sj653C:\sj700C:\sj700\hpcd.sjpC:\sj700\HpGenUI.dllC:\sj700\ppt8dll.dllC:\sj700\Setup.exeC:\sj700\updatloc.dllC:\WINDOWS\QTFont.forC:\WINDOWS\QTFont.qfn.((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 ))))))))))))))))))))))))))))))).2007-12-20 17:24 . 2007-12-20 17:24 <DIR> d-------- C:\Deckard2007-12-18 07:05 . 2007-12-18 07:06 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix2007-12-16 12:50 . 2007-12-18 07:05 3,712 --a------ C:\WINDOWS\system32\tmp.reg2007-12-16 12:48 . 2007-12-16 12:49 1,125,659 --a------ C:\SmitfraudFix.exe2007-12-16 12:41 . 2007-12-16 12:41 <DIR> d-------- C:\HostsXpert2007-12-15 11:41 . 2007-12-15 16:10 <DIR> d-------- C:\Program Files\WinSpyKiller2007-11-30 18:53 . 2007-11-30 18:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin2007-11-30 18:25 . 2007-12-15 16:08 <DIR> d-------- C:\Program Files\Alawar2007-11-29 08:11 . 2007-12-02 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier2007-11-29 07:19 . 2001-10-16 10:20 53,248 --a------ C:\WINDOWS\system32\hpsjusd.dll2007-11-29 07:19 . 2001-10-16 10:20 32,768 --a------ C:\WINDOWS\system32\hpsjrreg.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2007-12-29 12:46 7,445,792 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat2007-12-28 01:07 99,740 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx2007-12-15 22:12 --------- d-----w C:\Program Files\Google2007-11-29 14:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\MailFrontier2007-11-27 12:08 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.22007-11-26 12:47 17,393,684 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_25_22_03_50_full.dmp.zip2007-11-26 12:46 2,217,469 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip2007-11-26 12:46 17,139,898 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_25_22_03_37_full.dmp.zip2007-11-24 17:31 512 ----a-w C:\ScanSectorLog.dat2007-11-23 17:29 --------- d-----w C:\Program Files\iPod2007-11-23 17:27 --------- d-----w C:\Program Files\QuickTime2007-11-22 18:03 17,152,223 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_19_20_05_00_full.dmp.zip2007-11-14 22:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll2007-09-02 12:12 774,144 ----a-w C:\Program Files\RngInterstitial.dll.((((((((((((((((((((((((((((( snapshot@2007-12-27_18.56.54.76 ))))))))))))))))))))))))))))))))))))))))).- 2007-12-27 05:42:41 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat+ 2007-12-29 07:07:24 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat- 2007-12-28 00:51:18 389,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat+ 2007-12-29 12:43:25 392,628 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat- 2007-12-27 16:02:34 7,302,948 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat+ 2007-12-29 10:00:39 7,361,875 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 16:18][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 12:04]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]"CHotkey"="zHotkey.exe" [2004-05-17 19:30 C:\WINDOWS\zHotkey.exe]"ShowWnd"="ShowWnd.exe" [2003-09-19 10:09 C:\WINDOWS\ShowWnd.exe]"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 16:04]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 22:05]"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]"SoundMan"="SOUNDMAN.EXE" [2004-12-01 17:54 C:\WINDOWS\SOUNDMAN.EXE]"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-10 10:03]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]"iTunesHelper"="H:\My Music\iTunes\iTunesHelper.exe" [2007-11-15 13:11]"hpsjbmgr"="C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe" []"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 16:14:36]Billminder.lnk - D:\Program Files\QUICKEN2007\BILLMIND.EXE [2007-09-01 11:52:49]Quicken Startup.lnk - D:\Program Files\QUICKEN2007\QWDLLS.EXE [2007-09-01 11:52:54][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.themeR0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-11-10 09:30]R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 09:49]R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38ca64f9-5a93-11dc-b56e-0013d32d4d40}]\Shell\AutoRun\command - M:\LaunchU3.exe -a.Contents of the 'Scheduled Tasks' folder"2007-12-28 15:40:56 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe.**************************************************************************catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2007-12-29 06:46:50Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2007-12-29 6:47:17C:\ComboFix2.txt ... 2007-12-27 18:57.2007-12-12 12:27:42 --- E O F --- -----------------------------------------------------------------------------------------------------hjt logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 7:21:44 AM, on 12/29/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\zHotkey.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeH:\My Music\iTunes\iTunesHelper.exeD:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeD:\Program Files\QUICKEN2007\QWDLLS.EXED:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\NOTEPAD.EXED:\Backup\Down Load\HJTInstall.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [CHotkey] zHotkey.exeO4 - HKLM\..\Run: [showWnd] ShowWnd.exeO4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "H:\My Music\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exeO4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKEN2007\BILLMIND.EXEO4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKEN2007\QWDLLS.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196101136996O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 5773 bytes Link to post Share on other sites
sarahw Posted December 30, 2007 Report Share Posted December 30, 2007 Hi,Congratulations, your log is now clean. Time for some housekeeping Click START then RUN Now type Combofix /u in the runbox and click OK [*] When shown the disclaimer, Select "2"The above procedure will: Delete the following: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present[*] Reset the clock settings.[*] Hide file extensions, if required.[*] Hide System/Hidden files, if required.[*] Reset System Restore.A well protected computer should have at least an Anti Virus and Firewall, an Anti Spyware is also great addition to your computers security. Here is a list of tools I like to recommend to people that will help ensure safe surfing on the internet, and to help you from getting infected again. Note: DO NOT install more than one antivirus or Firewall program. They will conflict, and provide less protection, not more. Uninstall any existing Anti Virus\Firewall programs if you're going to install a new one. Free Online Scans:Free Active X and Java based online scans. You can use these scans from other companies and it will not interfere with your current Anti Virus. If you find that you are infected, post a Hijack This log in the forums.Kapersky online scanPanda Online ScanF-Secure Online ScanTrendMicro HouseCall online scanBit Defender online scanFree Temp Cleaners:Use these tools to clean temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ATF cleaner recommended.CCleanerATF CleanerFree Firewall Downloads:You must have a Firewall installed on your computer. This helps stop anything from leaving or entering your computer without your permission.ZoneAlarm Kerio Firewall Free Anti Spyware Downloads:An Antispyware is a great tool that can help remove infections along side your Anti Virus. Some include real time protection, scheduled scans and automatic definition updates.AVG Antispyware A-Squared AntispywareSpywareGuardSpywareBlaster SpywareTerminator Spybot Search & DestroyAd AwareFree Anti Virus Downloads:A must have for all computers. Avast! recommended.SpywareTerminator With ClamAV Enabled.AntiVirAvast!Grisoft AVGBit Defender Free a² FreeComodo BOCleanSuperAntiSpywareOther:SpywareGuardWorks as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAdThis tool puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.Memtest86Great memory testing software.CPU-ZThis application gives detailed information about your system in a nice layoutSpeedfanReturns and monitors system temperatures.Windows UpdatesIt is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.You can now Rehide your system files by using these instructions HERETo find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read THIS article by Tony Klein.If you have any other problems or questions be sure to ask. Link to post Share on other sites
pudgmo Posted December 30, 2007 Author Report Share Posted December 30, 2007 Thanks sarahw! all looks good.Thanks for he links too. Link to post Share on other sites
sarahw Posted December 30, 2007 Report Share Posted December 30, 2007 Not a problem. Thanks for letting me know the final result. Link to post Share on other sites
sarahw Posted January 5, 2008 Report Share Posted January 5, 2008 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts