Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - funkandjazz

Pages: [1]

Tech Clinic / Virus Problem

« on: July 06, 2008, 01:14:57 AM »

[quote name=\'guestolo\' post=\'434632\' date=\'Jul 5 2008, 10:17 AM\']Do a "System scan only" with Hijackthis and put a check next to these entries:

O16 - DPF: {14026E16-CA00-0E7F-DE94-4CA444CE0DA9} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {3162787C-FE67-43E2-5B17-63A1077EF4B2} - http://69.50.182.94/1/rdgUS1953.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
Come back here and post a fresh hijackthis log

In addition, I notice you may have ran SuperAntispyware
Can you post the log from it's last scan please
To get the log, Open SA> click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.[/quote]

Done. Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:19 PM, on 7/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\IrfanView\I_VIEW32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVisionaltsetup\Utility\ColorVisionStartup.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: aawservice - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

----------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/03/2008 at 05:57 AM

Application Version : 4.15.1000

Core Rules Database Version : 3496
Trace Rules Database Version: 1487

Scan type : Quick Scan
Total Scan Time : 00:23:37

Memory items scanned : 469
Memory threats detected : 0
Registry items scanned : 451
Registry threats detected : 2
File items scanned : 10839
File threats detected : 71

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\owner@adultdvdexplorer[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@fonefinder[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@windowsmedia[2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@crackdb[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@90044751[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adecn[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@kanoodle[2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@32000[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@consumersdiscountrx[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@labels=0[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@mediablvd[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@labels=0[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adserver[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@trafficdashboard[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@warlog[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@teenboom[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@yadro[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@qnsr[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@mediabistro[3].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@interclick[3].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][4].txt
   C:\Documents and Settings\Owner\Cookies\owner@nandomedia[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@collective-media[5].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@nextag[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@starware[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adinterax[3].txt
   C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adknowledge[2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@empornium[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@shopica[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@mb[5].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@kontera[3].txt
   C:\Documents and Settings\Owner\Cookies\owner@dmtracker[3].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
   C:\Documents and Settings\Owner\Cookies\owner@revsci[5].txt
   C:\Documents and Settings\Owner\Cookies\owner@nextstat[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adbrite[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][4].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@partner2profit[1].txt
   .statcounter.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .easycracks.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .superstats.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .yadro.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.fullreleases.biz [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .usenext.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .engine.adnet.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .engine.adnet.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .engine.adnet.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .burstnet.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .partner2profit.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .partner2profit.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .partner2profit.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .partner2profit.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]

Rootkit.Unclassified/SysDamp-Traces
   HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved
   HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Reserved

Trojan.Crafted-A
   C:\WINDOWS\SYSTEM32\TRF32.DLL

Tech Clinic / Virus Problem

« on: July 04, 2008, 08:02:02 PM »

[quote name=\'guestolo\' post=\'434562\' date=\'Jul 4 2008, 09:18 AM\']Sorry for the delay funkandjazz

If you still need a hand, can you post a fresh hijackthis log please
But do the following
When you run Scan and Save Logfile with Hijackthis
When the log opens in Notepad, before you copy it, click on FORMAT at the top
and UNCheck Word Wrap
Then copy>paste back here the fresh log, this will eliminate the spaces in your log[/quote]

Hi,

Thanks for the reply. Since I wrote my original post, I have run a couple more virus/spyware removal programs and they all "fixed" stuff. The browser hijack problem does seem to have been fixed. Still, I'm not entirely sure that I've cleared away all my problems. Could you take a look and see what you think, please? Below is the updated HJT log, per your request.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 6:11:50 PM, on 7/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVisionaltsetup\Utility\ColorVisionStartup.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {14026E16-CA00-0E7F-DE94-4CA444CE0DA9} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {3162787C-FE67-43E2-5B17-63A1077EF4B2} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: aawservice - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

Tech Clinic / Virus Problem

« on: June 26, 2008, 10:43:46 AM »

Hello,

This forum has been extremely helpful to me in the past. I'd appreciate your help with this new problem:

I seem to have acquired a virus that's causing several problems. I was notified by my internet provider that spam was suddenly being sent from my email address (unbeknownst to me) and also whenever I do a search through Yahoo or Google and select one of the links, I get redirected to "my-fast-search.com". Can you please help me find and remove what's casuing the problem?

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:07 AM, on 6/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\lsass.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.

yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.

yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:

\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program

Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-

Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.

dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital

Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05

\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe

/runkey
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape

Streaming Services\Owner\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [lsass] C:\Documents and Settings\Owner\Application

Data\Microsoft\Windows\lsass.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program

Files\ColorVisionaltsetup\Utility\ColorVisionStartup.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program

Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321

Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:

\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {14026E16-CA00-0E7F-DE94-4CA444CE0DA9} - http://69.50.182.94/1/

rdgUS1953.exe
O16 - DPF: {3162787C-FE67-43E2-5B17-63A1077EF4B2} - http://69.50.182.94/1/

rdgUS1953.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: avicore - avicore.dll (file missing)
O20 - Winlogon Notify: __c00D6FBA - C:\WINDOWS\SYSTEM32\__c00D6FBA.jpg
O22 - SharedTaskScheduler: OLE Module - {03B1C4D9-BC71-8916-38AD-9DEA5D

213614} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0156521214483532) (

0156521214483532mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Owner\LOCALS~1

\Temp\015652~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program

Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1

\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1

\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1

\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:

\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. -

C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C

:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:

\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program

Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7011 bytes

Thanks!

Tech Clinic / Smartsecurity HJT scanlog

« on: April 09, 2005, 06:27:20 PM »

scanner results for kl_upx.exe:

AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

then:

Service load: 0% 100%

File: uscscsi.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

description: Universal control library

then:

Service load: 0% 100%

File: cpuinf32.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

This is an unknown application extension

then:

Service load: 0% 100%

File: DefragH.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

Application: DefragH

next:

Service load: 0% 100%

File: devil.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

Description: DevIL: A portable image library in development from Abysmal Software

next:

Service load: 0% 100%

File: ilu.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

Description: ILU: A portable image library in development, Abysmal Software

next:

Service load: 0% 100%

File: patin.cpl
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

Description: Access layer configuration tool for VSO softwares, VSO software

next:

Service load: 0% 100%

File: rmme3260.dll
Status: OK
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

how are we doing?

Tech Clinic / Smartsecurity HJT scanlog

« on: April 09, 2005, 10:44:37 AM »

ok, here is what happened: i went to msconfig and selected normal startup. i did not restart immediately but rather shut down AVG and uninstalled it. i then updated Panda AV. i then attempted to restart the computer.

then: trouble!

my computer got stuck on the first blue screen that says "HP Invent" and i could not get past that screen. none of the F keys had any effect. so, after much frustration, i called HP tech support and they suggested that i might have a buildup of static electricity. they advised me to disconnect all the cables from my computer, then hold down the on/off button for 30 seconds or so, then restart. amazingly, it worked! whew!

i was then able to boot up into safe mode, start Panda and run a full system scan. Panda found no infections.

i then ran RKfiles.bat, restarted into normal mode, ran HJT, and here we are:

C:\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\cpuinf32.dll: UPX!
C:\WINDOWS\system32\DefragH.exe: UPX!
C:\WINDOWS\system32\devil.dll: UPX!
C:\WINDOWS\system32\ilu.dll: UPX!
C:\WINDOWS\system32\ilut.dll: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: >UPX!t
C:\WINDOWS\system32\kl_upx.exe: t[hUPX!
C:\WINDOWS\system32\kl_upx.exe: MThUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!t
C:\WINDOWS\system32\kl_upx.exe: hUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: JMPOUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\patin.cpl: UPX!
C:\WINDOWS\system32\rmme3260.dll: +F!f:G!fSG!fmG!f
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\uscscsi.dll: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

Logfile of HijackThis v1.99.1
Scan saved at 8:33:18 AM, on 4/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

What now?? Thanks again!

Tech Clinic / Smartsecurity HJT scanlog

« on: April 09, 2005, 01:01:18 AM »

guestolo, thanks as always for your guidance. after reading your post, specifically your observation that I lack anti-virus software, a light bulb went off in my head. i actually do have anti-virus software installed: Panda AV Platinum. BUT, Microsoft phone tech support, as they tried to help me get rid of the smartsecurity infection, advised me to use msconfig to switch from "normal startup" to "selective startup" as a means to isolate the source of the infection. i never reverted to "normal startup." so, the boxes checked now for startup items are: Process SYSTEM.INI file and Process WIN.INI file. "Load system services" and "load startup items" are checked, but they're grayed out.

This is why my av software isn't showing up! I haven't been loading my normal startup items, including av software. ugh!

what do you suggest? is there any danger in now reverting to "normal startup"?

is this also the reason my HJT logs are so small?

i did download and run AVG software, did a full scan, and no viruses or other infections were detected.

i now realize the above msconfig information may have been crucial to your diagnosis of my situation. my apologies. i'd forgotten all about it.

please advise! and thanks again.

Tech Clinic / Smartsecurity HJT scanlog

« on: April 08, 2005, 10:58:24 AM »

First, I failed to answer a previous question of yours. Yes, I am able to create shortcuts on my desktop and they do stick.

Now, I followed your most recent instructions. I shut off my DSL modem, restarted in safe mode, and ran HSFix.bat and RKfiles.bat.

Here are the latest logs:

Logfile of HijackThis v1.99.1
Scan saved at 8:53:40 AM, on 4/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
ps.a3d
drct16.dll
mszx23.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

C:\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\cpuinf32.dll: UPX!
C:\WINDOWS\system32\DefragH.exe: UPX!
C:\WINDOWS\system32\devil.dll: UPX!
C:\WINDOWS\system32\ilu.dll: UPX!
C:\WINDOWS\system32\ilut.dll: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: >UPX!t
C:\WINDOWS\system32\kl_upx.exe: t[hUPX!
C:\WINDOWS\system32\kl_upx.exe: MThUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!t
C:\WINDOWS\system32\kl_upx.exe: hUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: JMPOUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\patin.cpl: UPX!
C:\WINDOWS\system32\rmme3260.dll: +F!f:G!fSG!fmG!f
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\uscscsi.dll: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

How are we doing?

Thanks!

Tech Clinic / Smartsecurity HJT scanlog

« on: April 07, 2005, 02:36:14 PM »

Ok, here's where things stand.

Due to my own irrational fears, I did not restore to the last system restore point.

I did this:

1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out

Then I restarted in safe mode.

Then I located, but was UNable to delete these files:

C:\WINDOWS\System32\mszx23.exe <-file
C:\WINDOWS\SYSTEM32\drct16.dll <-file

I got a message that the files were being used by another process and therefore could NOT be deleted.

I was unsure exactly what to do at this point, but I elected to proceed with the rest of your instructions.

So, I did this:

Stay in safe mode
Open Hijackthis>>Open Misc tools section>>Open Process manager
Left click to Highlight and then kill this process if still running
C:\WINDOWS\System32\mszx23.exe

BUT-- that process did not show up at all in the list. I was therefore unable to kill it or do anything else with it.

So I proceeded to this:

Do another scan with Hijackthis and put a check next to these entries that exist

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

That all went fine.

I did all this:

Run HSfix.bat again

Next Navigate to where you unzipped Rkfiles.zip
Run Rkfiles.bat
Wait for the log to produce, by default it will be save too C:\log.txt

Restart back to Normal mode.

No problems there.

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:30 PM, on 4/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

Here's the new hslog.txt:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
drct16.dll
mszx23.exe
-
4. Deleting files that were found.
-
unable to remove ps.a3d
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-

Here's the log from RKfiles.bat:

C:\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\cpuinf32.dll: UPX!
C:\WINDOWS\system32\DefragH.exe: UPX!
C:\WINDOWS\system32\devil.dll: UPX!
C:\WINDOWS\system32\ilu.dll: UPX!
C:\WINDOWS\system32\ilut.dll: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: >UPX!t
C:\WINDOWS\system32\kl_upx.exe: t[hUPX!
C:\WINDOWS\system32\kl_upx.exe: MThUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!t
C:\WINDOWS\system32\kl_upx.exe: hUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: JMPOUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\patin.cpl: UPX!
C:\WINDOWS\system32\rmme3260.dll: +F!f:G!fSG!fmG!f
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\uscscsi.dll: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

Where do we stand now?

Thanks again.

Tech Clinic / Smartsecurity HJT scanlog

« on: April 07, 2005, 04:20:04 AM »

sorry, i misunderstood. yes, i did create a restore point before proceeding with any of your instructions, so all is well. i've printed out your instructions and will proceed in the morning, with follow-up results for you. thanks again!

Tech Clinic / Smartsecurity HJT scanlog

« on: April 07, 2005, 12:42:38 AM »

forgive me if these are especially naive questions/concerns, please bear with me. i'm worried about attempting to restore to the day before the smartsecurity infection. after several hours of phone tech help last night, i was advised to attempt a system restore to the last good install date. i did this and it failed. i got an error message upon reboot that the system restore attempt was unsuccessful. i then ran a series of trojan/virus/spyware removal programs which identified numerous problem files, all of which i deleted/fixed. when i next tried to reboot, i got an immediate error message that a boot file had failed or was corrupted and it took Microsoft techs a couple hours rebuilding my CNG file before i could even reboot. SO, as you can imagine, i'm real skittish about taking any steps which could cause any of the above to happen again. is there any chance that following your instructions regarding system restore could cause me to have any of the trouble described above. that would not be good since it would mean i could not get online to get further assistance from you!

thanks!

p.s. as to the question you just asked, i did a search immediately for the most critical items (photos) that were in folders on my desktop, and i think i've found them. and yes, many of the missing desktop items were shortcuts (not so worried about that, can easily create them again). other missing items are files and folders. haven't yet searched for them all.

Tech Clinic / Smartsecurity HJT scanlog

« on: April 06, 2005, 11:52:31 PM »

that last message is from me. sorry, forgot to log in after the cleansweep.

Tech Clinic / Smartsecurity HJT scanlog

« on: April 06, 2005, 07:33:09 PM »

guestolo, thanks very much for your reply.

prior to finding this forum and seeking your help, i got advice from Microsoft tech support and also Hewlett Packard tech support. they advised me to run all my spyware/adware removal software and to run all my virus removal software. i did all this and much was removed. however, as i indicated, the smartsecurity screen still dominates my desktop and i have no right-click functionality on my desktop.

it was only at this point that i discovered this forum and i am doing my best to follow your instructions.

there are no backups listed in my HJT software, sorry.

i'm doing the best i can. please advise! here is my latest scan:

Logfile of HijackThis v1.99.1
Scan saved at 5:30:54 PM, on 4/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mszx23.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

Tech Clinic / Smartsecurity HJT scanlog

« on: April 06, 2005, 03:16:02 PM »

I am unable to rid my desktop of the smartsecurity red/black image, nor am i able to use the right-click feature on my desktop. Here is my HJT log from scan just completed:

Logfile of HijackThis v1.99.1
Scan saved at 1:10:17 PM, on 4/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mszx23.exe
C:\Program Files\IrfanView\I_VIEW32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll

Please advise! What do I do now? Thanks very much.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - funkandjazz

Tech Clinic / Virus Problem

Tech Clinic / Virus Problem

Tech Clinic / Virus Problem

Tech Clinic / Smartsecurity HJT scanlog

Tech Clinic / Smartsecurity HJT scanlog

Tech Clinic / Smartsecurity HJT scanlog

Tech Clinic / Smartsecurity HJT scanlog

Tech Clinic / Smartsecurity HJT scanlog

Tech Clinic / Smartsecurity HJT scanlog

Tech Clinic / Smartsecurity HJT scanlog

Tech Clinic / Smartsecurity HJT scanlog

Tech Clinic / Smartsecurity HJT scanlog

Tech Clinic / Smartsecurity HJT scanlog