« previous next »
Pages: [1]

Author Topic: Smitfraud and incessant popups.  (Read 1126 times)

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« on: May 21, 2007, 10:57:57 PM »
Hi there,
Over the past week or so my computer has shown increasing numbers of pop-ups and I do not seem to be able to do much about them. Things get better for a short while and then more messy again.
Also I keep getting Smitfraud.Tool888 coming up when I run Spybot S&D and this appears to remove it but it comes back each time.
I had Google Toolbar but have removed it.
I have used Smitfraudfix but it cannot find Cleanup.reg.
I have run several cleanup programs but Smitfraud is really persistant.
I am using win2000.

I attach my Hijackthis log and hope that you can help me fix things.

regards, Erik
 

Logfile of HijackThis v1.99.1
Scan saved at 1:54:55 PM, on 22/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IMONTRAY] "C:\Program Files\Intel\Intel® Active Monitor\imontray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [setup] "rundll32.exe" "C:\WINNT\system32\pwcbkrcg.dll",realset
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [EssentialPIM] "C:\Program Files\EssentialPIM\EssentialPIM.exe" /autorun
O4 - HKCU\..\Run: [Uniblue Registry Booster2] "C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164633796468
O17 - HKLM\System\CCS\Services\Tcpip\..\{E268C38B-2F85-40EC-8865-249169241F28}: NameServer = 203.23.236.66,203.23.236.69
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINNT\system32\dssdll32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Smitfraud and incessant popups.
« Reply #1 on: May 22, 2007, 07:25:11 PM »
Please disable SpySweeper, as it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it, click > Options over to the left then > click the Program tab > Uncheck "Start Spy Sweeper at Windows startup".
Over to the left click "shields"
  • Click the "Internet Explorer" tab and and uncheck all there.
  • Click the "Windows System" tab and uncheck all there.
  • Click the "Host File" tab and uncheck all there.
  • Click the "Startup Programs" tab and uncheck "Startup Items Shield".
Please leave these protections disabled till after we have you clean

Reboot your computer
Back in Windows

Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,  click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

Post the report from Vundofix>>C:\Vundofix.txt

Also, can you delete Smitfraudfix.zip and the Smitfraudfix folder
REDownload [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Also post a fresh hijackthis log
If it takes more than one reply to post back all the info, please do so

Recap:
Post the following
1. Post the report from Vundofix>>C:\Vundofix.txt
2. Post the log from Smitfraudfix
3. Post a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #2 on: May 23, 2007, 05:54:20 AM »
[quote name=\'guestolo\' post=\'328930\' date=\'May 23 2007, 10:25 AM\']Please disable SpySweeper, as it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it, click > Options over to the left then > click the Program tab > Uncheck "Start Spy Sweeper at Windows startup".
Over to the left click "shields"
  • Click the "Internet Explorer" tab and and uncheck all there.
  • Click the "Windows System" tab and uncheck all there.
  • Click the "Host File" tab and uncheck all there.
  • Click the "Startup Programs" tab and uncheck "Startup Items Shield".
Please leave these protections disabled till after we have you clean

Reboot your computer
Back in Windows

Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

Post the report from Vundofix>>C:\Vundofix.txt

Also, can you delete Smitfraudfix.zip and the Smitfraudfix folder
REDownload [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Also post a fresh hijackthis log
If it takes more than one reply to post back all the info, please do so

Recap:
Post the following
1. Post the report from Vundofix>>C:\Vundofix.txt
2. Post the log from Smitfraudfix
3. Post a fresh hijackthis log[/quote]


Reply.
Results so far up to end of Vundo.fix.

1.I
Logged

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #3 on: May 23, 2007, 06:06:06 AM »
[quote name=\'erikh\' post=\'329040\' date=\'May 23 2007, 08:54 PM\']Reply.
Results so far up to end of Vundo.fix.[/quote]

I disabled SpySweeper. The tabs are labelled a bit differently because I guess it is a recent version. But I think I got them all right.
Then rebooted.
I brought down Vundo.fix.exe and ran it. It found several files and when I replied YES to delete files the screen went blank and then froze.
An error message came up saying: "Cannot import C:\Vundofix.reg. Error opening the file. There may be a disk or file system error"
I clicked OK but the screen was still frozen.
Ctrl/Alt/Del had no effect either.
I had to switch off power.
I restarted in normal mode.
redownloaded Vundo.txt and scanned again.
This time it did not find anything.
Then I copied C:\Vundofix.txt and will paste it now.


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 6:48:42 PM 23/05/2007

Listing files found while scanning....

C:\WINNT\system32\byxurqq.dll
C:\WINNT\system32\gcrkbcwp.ini
C:\WINNT\system32\jkklmkk.dll
C:\WINNT\system32\lbpxnhqi.dll
C:\WINNT\system32\oqstv.bak1
C:\WINNT\system32\oqstv.bak2
C:\WINNT\system32\oqstv.ini
C:\WINNT\system32\pwcbkrcg.dll
C:\WINNT\system32\vtsqo.dll

Beginning removal...

 Attempting to delete C:\WINNT\system32\byxurqq.dll
C:\WINNT\system32\byxurqq.dll Has been deleted!

 Attempting to delete C:\WINNT\system32\gcrkbcwp.ini
C:\WINNT\system32\gcrkbcwp.ini Has been deleted!

 Attempting to delete C:\WINNT\system32\jkklmkk.dll
C:\WINNT\system32\jkklmkk.dll Has been deleted!

 Attempting to delete C:\WINNT\system32\oqstv.bak1
C:\WINNT\system32\oqstv.bak1 Has been deleted!

 Attempting to delete C:\WINNT\system32\oqstv.bak2
C:\WINNT\system32\oqstv.bak2 Has been deleted!

 Attempting to delete C:\WINNT\system32\oqstv.ini
C:\WINNT\system32\oqstv.ini Has been deleted!

 Attempting to delete C:\WINNT\system32\pwcbkrcg.dll
C:\WINNT\system32\pwcbkrcg.dll Has been deleted!

 Attempting to delete C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 7:18:23 PM 23/05/2007

Listing files found while scanning....

No infected files were found.

Now I'll go back and continue.

Erik
Logged

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #4 on: May 23, 2007, 06:34:56 AM »
SmitFraudFix v2.186

Scan done at 21:32:01.78, Wed 23/05/2007
Run from C:\Documents and Settings\Erik Halbert\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Erik Halbert


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Erik Halbert\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ERIKHA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~3\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NDIS 5.0 driver                                                                  
DNS Server Search Order: 203.23.236.66
DNS Server Search Order: 203.23.236.69

Description: USB to Ethernet (LAN) Viking Driver
DNS Server Search Order: 211.29.132.12
DNS Server Search Order: 198.142.0.51

HKLM\SYSTEM\CCS\Services\Tcpip\..\{83E2AFDE-A9F1-4D59-BCED-F9D356FEF9BF}: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E268C38B-2F85-40EC-8865-249169241F28}: NameServer=203.23.236.66,203.23.236.69
HKLM\SYSTEM\CS1\Services\Tcpip\..\{83E2AFDE-A9F1-4D59-BCED-F9D356FEF9BF}: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E268C38B-2F85-40EC-8865-249169241F28}: NameServer=203.23.236.66,203.23.236.69
HKLM\SYSTEM\CS2\Services\Tcpip\..\{83E2AFDE-A9F1-4D59-BCED-F9D356FEF9BF}: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E268C38B-2F85-40EC-8865-249169241F28}: NameServer=203.23.236.66,203.23.236.69
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=211.29.132.12 198.142.0.51


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:23:36 PM, on 23/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: (no name) - {00147984-D416-4103-BA98-5313159EE782} - C:\WINNT\system32\epjclmql.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {9D20197E-B1C6-490B-BEB9-833851449936} - C:\WINNT\system32\vtsqo.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IMONTRAY] "C:\Program Files\Intel\Intel® Active Monitor\imontray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EssentialPIM] "C:\Program Files\EssentialPIM\EssentialPIM.exe" /autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164633796468
O17 - HKLM\System\CCS\Services\Tcpip\..\{E268C38B-2F85-40EC-8865-249169241F28}: NameServer = 203.23.236.66,203.23.236.69
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINNT\system32\dssdll32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I am resending this because the previous send may have got lost.
Looking forward to your thoughts on this.
regards, Erik
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Smitfraud and incessant popups.
« Reply #5 on: May 23, 2007, 09:41:43 AM »
Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {00147984-D416-4103-BA98-5313159EE782} - C:\WINNT\system32\epjclmql.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {9D20197E-B1C6-490B-BEB9-833851449936} - C:\WINNT\system32\vtsqo.dll (file missing)

O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINNT\system32\dssdll32.dll (file missing)


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in Windows
Download [color=\"#FF0000\"]Deckard's System Scanner[/color] to your Desktop from either of these locations:

    * http://deckard.geekstogo.com/dss.exe
    * http://www.techsupportforum.com/sectools/Deckard/dss.exe


   1. Close all applications and windows.
   2. Double-click on dss.exe to run it, and follow the prompts.
   3. When the scan is complete, a text file will open - Main.txt
   4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your reply back here
   5. A folder, C:\Deckard, will also open. In it will be another text file, Extra.txt.
   6. Post the contents of Extra.txt also

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #6 on: May 24, 2007, 05:56:28 AM »
When I ran DSS first I got an error message.

"Auto IT V3: Application error.
The instruction at 0x0043ac49 referenced memory at "0x0112e00". The memory could not be "read".
Click on OK to terminate the program.
Click on "Cancel" to debug the program.

I clicked OK and then ran rhe program again. This time it ran through completely. It did stop at one stage to request permission to access the web. I OK'd that permission.

I have attached the two logs below:

-------------------------------------------------------------------------------------------

Deckard's System Scanner v20070426.43
Run by Erik Halbert on 2007-05-24 at 20:42:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Performed disk cleanup.


-- HijackThis (run as Erik Halbert.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:42:25 PM, on 24/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\Erik Halbert\Desktop\dss.exe
C:\HJT\HIJACK~1\Erik Halbert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IMONTRAY] "C:\Program Files\Intel\Intel® Active Monitor\imontray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EssentialPIM] "C:\Program Files\EssentialPIM\EssentialPIM.exe" /autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164633796468
O17 - HKLM\System\CCS\Services\Tcpip\..\{E268C38B-2F85-40EC-8865-249169241F28}: NameServer = 203.23.236.66,203.23.236.69
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


-- HijackThis Fixed Entries (C:\HJT\HIJACK~1\backups\) -------------------------

backup-20070524-113945-255 O2 - BHO: (no name) - {9D20197E-B1C6-490B-BEB9-833851449936} - C:\WINNT\system32\vtsqo.dll (file missing)
backup-20070524-113945-475 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
backup-20070524-113945-558 O2 - BHO: (no name) - {00147984-D416-4103-BA98-5313159EE782} - C:\WINNT\system32\epjclmql.dll (file missing)
backup-20070524-113945-650 O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINNT\system32\dssdll32.dll (file missing)

-- File Associations -----------------------------------------------------------

[color=\"red\"].txt - txtfile - shell\open\command - notepad.exe %1[/color]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 giveio - c:\winnt\system32\giveio.sys
R1 sf (SFI Service) - c:\winnt\system32\drivers\sf.sys <Not Verified; Sonic Focus, Inc; Sonic Focus DSP service driver>
R2 SIODRV - c:\winnt\system32\drivers\siodrv.sys <Not Verified; Intel Corporation; Intel® Active Monitor>
R3 aeaudio - c:\winnt\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 SMBios (Intel ® System Management BIOS Service) - c:\winnt\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>
R3 smbusp (Intel® SMBus 2.0 Driver) - c:\winnt\system32\drivers\smb.sys <Not Verified; Intel Corporation; Intel® SMBus Controller>
R3 smwdm - c:\winnt\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
R3 UPATC (USBAT Controller Driver) - c:\winnt\system32\drivers\upatc.sys <Not Verified; SCM Microsystems Inc.; USBAT Mass Storage Class Client driver>

S2 dsniff - c:\winnt\system32\drivers\dsniff.sys (file missing)
S3 FreshIO - d:\program files\freshdevices\freshdiagnose\freshio.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 imonNT (Intel® Active Monitor) - c:\program files\intel\intel® active monitor\imonnt.exe <Not Verified; Intel Corp.; Intel® Active Monitor>
R2 SoundMAX Agent Service (default) (SoundMAX Agent Service) - c:\program files\analog devices\soundmax\smagent.exe <Not Verified; Analog Devices, Inc.; SoundMAX service agent>

S2 NMSAccess -


-- Files created between 2007-04-24 and 2007-05-24 -----------------------------

2007-05-24 11:43:28     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_27c.dat
2007-05-23 21:14:50     53248 --a------ C:\WINNT\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-05-23 18:48:42         0 d-------- C:\VundoFix Backups
2007-05-23 16:50:16     93184 --a------ C:\WINNT\system32\hpsjvset.dll <Not Verified; Hewlett-Packard; Hewlett Packard ScanJet VendorSetup Extension Dynamic Link Library>
2007-05-23 16:50:16       928 --a------ C:\WINNT\system32\hpsj1695.dll
2007-05-23 16:50:14     30720 --a------ C:\WINNT\system32\hpsmui.dll <Not Verified; Hewlett-Packard; Biblioteca de vínculos dinámicos HPSCNMGR>
2007-05-23 16:50:08    350208 --a------ C:\WINNT\system32\ltkrn70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:08     55296 --a------ C:\WINNT\system32\ltfil70n.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:08     93184 --a------ C:\WINNT\system32\lftif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:08    111104 --a------ C:\WINNT\system32\lfpng70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:08     24576 --a------ C:\WINNT\system32\lfbmp70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:07     24576 --a------ C:\WINNT\system32\lfpcx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:07     95232 --a------ C:\WINNT\system32\Lfkodak.dll
2007-05-23 16:50:07     32768 --a------ C:\WINNT\system32\lfgif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:07     35328 --a------ C:\WINNT\system32\lffpx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:07    306688 --a------ C:\WINNT\system32\Lffpx7.dll <Not Verified; ; Reference Implementation>
2007-05-23 16:50:07     55808 --a------ C:\WINNT\system32\lffax70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:06    224768 --a------ C:\WINNT\system32\LFCMP70n.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-05-23 16:50:05    669696 --a------ C:\WINNT\system32\ipeistor11.dll <Not Verified; Hewlett-Packard Company; IPEISTOR Dynamic Link Library>
2007-05-23 16:50:05    324608 --a------ C:\WINNT\system32\ipebase11.dll <Not Verified; Hewlett-Packard Company; IPEBASE Dynamic Link Library>
2007-05-23 16:50:05     66560 --a------ C:\WINNT\system32\ipeapi11.dll <Not Verified; Hewlett-Packard Company; IPEAPI Dynamic Link Library>
2007-05-23 16:50:01         0 d-------- C:\WINNT\system32\Iosubsys
2007-05-23 16:50:01         0 d-------- C:\Program Files\Hewlett-Packard
2007-05-23 16:49:43    312323 --a------ C:\WINNT\IsUn040a.exe <Not Verified; InstallShield Software Corporation, Inc.; InstallShield unInstaller>
2007-05-23 16:49:24         0 d-------- C:\sj662
2007-05-23 16:08:55     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_594.dat
2007-05-22 18:47:01     57344 --a------ C:\WINNT\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2007-05-22 18:36:03   1286036 ---h----- C:\WINNT\ShellIconCache
2007-05-22 16:08:42     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_564.dat
2007-05-22 13:31:28         0 d-------- C:\HJT
2007-05-22 12:57:13     90112 -----n--- C:\WINNT\SDUnInst.exe <Not Verified; Software Design; UnInstaller Utility for Windows>
2007-05-22 11:18:58    288417 --a------ C:\WINNT\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-05-22 11:18:58     51200 --a------ C:\WINNT\system32\dumphive.exe
2007-05-22 09:28:14     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_280.dat
2007-05-21 23:39:07         0 d-------- C:\WINNT\Content.IE5
2007-05-21 19:22:17         0 d-------- C:\Program Files\Webroot
2007-05-21 19:22:17         0 d-------- C:\Documents and Settings\Erik Halbert\Application Data\Webroot
2007-05-21 19:22:17         0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-05-21 19:10:59       164 --a------ C:\install.dat
2007-05-20 23:19:18         0 d-------- C:\Program Files\Contacts Express
2007-05-20 19:56:35     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4a0.dat
2007-05-20 19:56:20         0 d-------- C:\{800186A2-0000-0000-42B1-6931FF534416}
2007-05-20 19:56:20         0 d-------- C:\{800011F0-0000-0000-C19F-B3DADF7CDA58}
2007-05-20 17:35:45         0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-20 15:34:16         0 d-------- C:\Program Files\Common Files\Scanner
2007-05-19 09:25:43     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_490.dat
2007-05-12 06:48:42     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_284.dat
2007-05-11 08:38:28         0 d-------- C:\Program Files\Open Contacts
2007-05-10 18:50:57         0 d-------- C:\Program Files\Software by Design
2007-05-10 12:37:39     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_6d8.dat
2007-05-10 07:30:52    724429 --a------ C:\WINNT\system32\dfl1z32.dll
2007-05-09 22:37:37         0 d-------- C:\Documents and Settings\Erik Halbert\Application Data\EssentialPIM
2007-05-09 22:37:30         0 d-------- C:\Program Files\EssentialPIM
2007-05-09 14:42:19     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_274.dat
2007-05-09 14:30:56      3354 --a------ C:\WINNT\system32\tmp.reg
2007-05-09 13:07:37         0 d-------- C:\Program Files\Enigma Software Group
2007-05-09 08:06:42    398416 --a------ C:\WINNT\system32\vbrun300.dll <Not Verified; Microsoft Corporation; Visual Basic 3.0>
2007-05-09 08:06:42     71696 --a------ C:\WINNT\system32\pdirjet.dll <Not Verified; Crystal Computer Services, Inc.; Crystal Reports For Windows>
2007-05-09 08:06:42    101904 --a------ C:\WINNT\system32\pdbjet.dll <Not Verified; Crystal Computer Services, Inc.; Crystal Reports For Windows>
2007-05-09 08:06:42    995056 --a------ C:\WINNT\system32\msajt200.dll <Not Verified; Microsoft Corporation; Microsoft® Access>
2007-05-09 08:06:42     17440 --a------ C:\WINNT\system32\msajt112.dll <Not Verified; Microsoft Corporation; Microsoft® Access>
2007-05-09 08:06:42    910848 --a------ C:\WINNT\system32\crpe.dll <Not Verified; Crystal Computer Services, Inc.; Crystal Reports For Windows>
2007-05-09 08:06:42         0 d-------- C:\Program Files\Manage Your Contacts
2007-05-09 07:25:53     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_7c4.dat
2007-05-08 18:20:50         0 d-------- C:\Program Files\jv16 PowerTools
2007-05-08 07:11:02     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2a8.dat
2007-05-07 22:20:15         0 d-------- C:\Program Files\SmartDB_V34
2007-05-07 18:28:17     31232 --a------ C:\WINNT\system32\28155622ld.exe
2007-05-07 18:18:27     31232 --a------ C:\WINNT\system32\18261092ld.exe
2007-05-07 17:58:22     31232 --a------ C:\WINNT\system32\58204682ld.exe
2007-05-07 17:38:54     31232 --a------ C:\WINNT\system32\38534372ld.exe
2007-05-07 17:20:18     31232 --a------ C:\WINNT\system32\2016152ld.exe
2007-05-07 15:34:09     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2ac.dat
2007-05-07 08:35:33         2 --a------ C:\-1674251272
2007-05-06 22:03:31         0 d-------- C:\dbworx
2007-05-04 10:35:01         0 d-------- C:\Program Files\WinPIM
2007-05-03 18:51:55         0 d-------- C:\Program Files\RegistryFix
2007-05-03 13:44:18         0 d-------- C:\Program Files\Uniblue
2007-05-03 10:28:53         0 d-------- C:\Documents and Settings\Erik Halbert\Application Data\CDBurnerXPP
2007-05-03 10:16:37         0 d-------- C:\Program Files\CDBurnerXP
2007-05-02 01:01:22         0 d-------- C:\Program Files\TreeDBNotes
2007-04-30 23:49:46         0 d-------- C:\Program Files\BiblioExpress
2007-04-30 23:45:23         0 d-------- C:\Program Files\BiblioExpress 3
2007-04-26 22:26:13         0 d-------- C:\Program Files\Registrar Lite
2007-04-26 20:56:36         0 d-------- C:\Program Files\Wise Disk Cleaner
2007-04-26 20:53:49         0 d-------- C:\Program Files\Wise Registry Cleaner


-- Find3M Report ---------------------------------------------------------------

2007-05-23 16:51:06      1480 --a------ C:\WINNT\AUTOLNCH.REG
2007-05-22 22:17:58         0 d-------- C:\Program Files\a-squared Free
2007-05-22 18:47:01         0 d-------- C:\Program Files\Common Files\Adaptec Shared
2007-05-22 12:12:59         0 d-------- C:\Program Files\Yahoo!
2007-05-22 09:27:22         0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-05-20 22:49:32         0 d-------- C:\Program Files\7-Zip
2007-05-20 22:49:21         0 d-------- C:\Program Files\Apple Software Update
2007-05-20 22:48:54         0 d-------- C:\Program Files\Family Tree Legends
2007-05-20 22:48:51         0 d-------- C:\Program Files\ffdshow
2007-05-20 22:48:42         0 d-------- C:\Program Files\gs
2007-05-20 22:48:40         0 d-------- C:\Program Files\Intel Desktop Board Audio Driver
2007-05-20 22:48:19         0 d-------- C:\Program Files\Kalender
2007-05-20 22:48:15         0 d-------- C:\Program Files\QuickTime
2007-05-20 22:48:15         0 d-------- C:\Program Files\On Station
2007-05-20 22:48:04         0 d-------- C:\Program Files\RegScrubXP
2007-05-20 22:48:00         0 d-------- C:\Program Files\tinySpell
2007-05-20 22:47:53         0 d-------- C:\Program Files\Windows NT
2007-05-16 10:57:45         0 d-------- C:\Program Files\Microsoft.NET
2007-05-12 08:50:36         0 d-------- C:\Documents and Settings\Erik Halbert\Application Data\UK's Kalender
2007-05-09 19:49:25         0 d-------- C:\Documents and Settings\Erik Halbert\Application Data\Adobe
2007-05-08 17:03:22         0 d-------- C:\Program Files\Common Files\Art Plus Uninstall
2007-05-08 11:52:37         0 d-------- C:\Program Files\TreePadLite
2007-05-07 08:33:39         0 d-------- C:\Program Files\HDD Thermometer
2007-05-03 13:44:24         0 d-------- C:\Documents and Settings\Erik Halbert\Application Data\Uniblue
2007-04-27 12:11:52         0 d-------- C:\Documents and Settings\Erik Halbert\Application Data\gtk-2.0
2007-04-26 21:05:54         0 d-------- C:\Program Files\Atlantis Nova
2007-04-26 21:05:41         0 d-------- C:\Program Files\WinCAPS
2007-04-19 14:08:23         0 d-------- C:\Program Files\Micro-Sys Software
2007-04-17 18:50:12     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2a0.dat
2007-04-11 17:33:46         0 d-------- C:\Program Files\Ghostgum
2007-04-11 14:05:22         0 d-------- C:\Program Files\FastStone Capture
2007-04-09 13:51:29         0 d-------- C:\Documents and Settings\Erik Halbert\Application Data\MailFrontier
2007-04-06 14:40:52         0 d-------- C:\Program Files\ScreenPrint32 v3
2007-04-03 10:25:23      4212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-04-02 17:16:35         0 d-------- C:\Documents and Settings\Erik Halbert\Application Data\ACD Systems
2007-04-02 13:29:51         0 d-------- C:\Program Files\Common Files\ACD Systems
2007-04-02 13:29:47         0 d-------- C:\Program Files\ACD Systems


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"SoundMAXPnP"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe\""
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"Desktop Service Centre"="\"C:\\Program Files\\OptusNet DSL Internet\\DSC.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"IMONTRAY"="\"C:\\Program Files\\Intel\\Intel® Active Monitor\\imontray.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"HP Lamp"="\"C:\\Program Files\\Hewlett-Packard\\HP PrecisionScan\\PrecisionScan\\HPLamp.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"EssentialPIM"="\"C:\\Program Files\\EssentialPIM\\EssentialPIM.exe\" /autorun"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9A072AA0-A30B-4717-A573-4511BB05F6AC}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
   Authentication Packages REG_MULTI_SZ    msv1_0
   Security Packages REG_MULTI_SZ    kerberosmsv1_0schannel
   Notification Packages REG_MULTI_SZ    scecli

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService
 
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ    RpcSs
wugroup REG_MULTI_SZ    wuauserv
BITSgroup REG_MULTI_SZ    BITS

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
gb

 

-- End of Deckard's System Scanner: finished at 2007-05-24 at 20:43:47 ---------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 36%
Physical Memory (total/avail): 1022.73 MiB / 651.83 MiB
Pagefile Memory (total/avail): 2461.66 MiB / 2105.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1988.38 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 24.25 GiB free.
D: is Fixed (FAT32) - 12.29 GiB total, 2.31 GiB free.
E: is Fixed (FAT32) - 12.48 GiB total, 2.49 GiB free.
F: is Fixed (FAT32) - 12.47 GiB total, 4.6 GiB free.
G: is CDROM (No Media)
I: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Erik Halbert\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=P4-28
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Erik Halbert
LOGONSERVER=\\P4-28
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\QuickTime\QTSystem\;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ERIKHA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ERIKHA~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=P4-28
USERNAME=Erik Halbert
USERPROFILE=C:\Documents and Settings\Erik Halbert
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Erik Halbert (admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
7-Zip 4.43 beta --> "C:\Program Files\7-Zip\Uninstall.exe"
a-squared Free 2.1 --> "C:\Program Files\a-squared Free\unins000.exe"
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
ACDSee 4.0.1 Standard --> MsiExec.exe /I{4CCAE0E7-757D-4095-9A30-F6B9584459B2}
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Illustrator CS --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}\setup.exe"
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
Atlantis Nova --> "C:\Program Files\Atlantis Nova\Atlantis.exe" -ui
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDBurnerXP --> "C:\Program Files\CDBurnerXP\unins000.exe"
CDBurnerXP Pro 3 --> MsiExec.exe /I{896D642C-7125-44F0-AC49-A23ABF82209C}
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Contacts Express v1.1 --> "C:\Program Files\Contacts Express\unins000.exe"
CorelDRAW Graphics Suite 12 --> MsiExec.exe /I{505AFDC0-5E72-4928-8368-5DEA385E3647}
dBworx ver 3.8 (Freeware) --> C:\dbworx\unins000.exe
DeepBurner v1.8.0.224 --> "C:\Program Files\Astonsoft\DeepBurner\Uninstall.exe" "C:\Program Files\Astonsoft\DeepBurner\install.log"
DirectVobSub (remove only) --> "C:\Program Files\DirectVobSub\uninstall.exe"
Disk CleanUp --> C:\WINNT\SDUnInst.exe c:\program files\software by design\cleanup.uni
EPSON Printer Software --> C:\WINNT\system32\spool\DRIVERS\W32X86\2\EPUPDATE.EXE /r
EssentialPIM --> C:\Program Files\EssentialPIM\uninstall.exe
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~2\UNWISE.EXE C:\PROGRA~1\EUSING~2\INSTALL.LOG
Family Tree Legends --> MsiExec.exe /I{1ED6CA46-633C-46CD-9D0F-2A8AE225E8A6}
FastStone Capture 4.8 --> C:\Program Files\FastStone Capture\uninst.exe
FastStone Image Viewer 2.9 Beta 2 --> C:\Program Files\FastStone Image Viewer\uninst.exe
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
ffdshow [rev 610] [2006-12-01] --> "C:\Program Files\ffdshow\unins000.exe"
FreeZip --> rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\freezip.inf,Uninstall
FreshDiagnose --> "C:\Program Files\FreshDevices\FreshDiagnose\unins000.exe"
FreshUI --> "C:\Program Files\FreshDevices\FreshUI\unins000.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9  -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HDD Thermometer --> C:\Program Files\HDD Thermometer\uninstall.exe
HijackThis 1.99.1 --> F:\Programs Downloaded\HijackThis\hijackthis060108\HijackThis.exe /uninstall
HP PrecisionScan --> C:\WINNT\IsUn040a.exe -f"C:\Program Files\Hewlett-Packard\HP PrecisionScan\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP PrecisionScan\ISTech\OCR\OCRUninst.dll"
Intel® PRO Network Connections --> MsiExec.exe /I{111A3D14-7596-43B0-92BA-418435C90672}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
jv16 PowerTools 1.3 --> "C:\Program Files\jv16 PowerTools\unins000.exe"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 --> C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Windows Media Video 9 VCM --> RunDll32 advpack.dll,LaunchINFSection C:\WINNT\INF\wmv9vcm.inf, Uninstall
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
Open Contacts v4.0 --> "C:\Program Files\Open Contacts\unins000.exe"
Opera 9.02 --> MsiExec.exe /X{F4EE98D3-507A-4160-8F65-710C37A8FBB8}
OptusNet DSL --> C:\Program Files\OptusNet DSL Internet\Uninstall.exe
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
RegScrubXP 3.25 --> "C:\Program Files\RegScrubXP\unins000.exe"
Security Update for Microsoft .NET Framework 2.0 (KB917283) --> C:\WINNT\system32\msiexec.exe /promptrestart /uninstall {967B098A-042D-4367-BAC9-8BC11684174F} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Microsoft .NET Framework 2.0 (KB922770) --> C:\WINNT\system32\msiexec.exe /promptrestart /uninstall {0E92DD42-76F5-4EF2-B381-F9C1D72BE23D} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Windows 2000 (KB904706) -->
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\100\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9  -removeonly
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
tinySpell 1.5 --> "C:\Program Files\tinySpell\unins000.exe"
UK's Kalender 2.0.1 --> "C:\Program Files\Kalender\unins000.exe"
Unlocker 1.8.4 --> C:\Program Files\Unlocker\uninst.exe
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinPad v3.04.1 --> "C:\Program Files\WinPad\unins000.exe"
Wise Disk Cleaner 2.2 --> "C:\Program Files\Wise Disk Cleaner\unins000.exe"
Wise Registry Cleaner 2.4 --> "C:\Program Files\Wise Registry Cleaner\unins000.exe"
Xara Xtreme --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C15B9AD0-EBC3-4903-8A7A-BB9E40C28850}\Setup.exe" -l0x9
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of Deckard's System Scanner: finished at 2007-05-24 at 20:43:47 ---------


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I should add tat even at this stage my machine is running much better.

regards, Erik
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Smitfraud and incessant popups.
« Reply #7 on: May 24, 2007, 10:36:08 PM »
We should repair your text association, this is probably causing problems
I had you download DSS.exe earlier
Can you Right click on DSS.exe and select COPY
Open MyComputer>>Local Disk C: and PASTE a copy there please
So you now have C:\DSS.exe

Go to START>>RUN
Copy and Paste the following to the Run command and then click OK

C:\dss.exe /daft

Deckard's system scanner should open
Click the SCAN button
Put a tick next to .txt
Then click the FIX button
Rescan again, you should be prompted that All Associations are OK
Click the Save log button, save the log to desktop, let me see it later please

I would like to run another scanner on your computer, just to ensure we have you clean

==Download [color=\"#FF0000\"]AVG Anti-Spyware 7.5[/color]
  • Save the installer to desktop
  • Double click the installer, select your language, and then select "OK"
  • Click NEXT>>>Select I Agree>>>NEXT>>>INSTALL
       
  • AVG will now install and afterwards click FINISH
       
  • AVG Anti-Spyware 7.5 should now Load
  • Click the Update tab at the top. Under Manual Update click Start update.
       
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner tab at the top
       
  • Click the "Settings" tab and then change the recommended action under "How to Act" to Quarantine and ensure that "Automatically generate report after every scan" IS selected and
    "Only if Threats are found" IS NOT selected
CLOSE AVG-Antispyware for now, as we will need it later
An AVG icon will be placed in your system tray next to your clock, can you right on it and uncheck
"Resident Shield" , "Automatic updates" and "Start with Windows"

==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 
Code: [Select]
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9A072AA0-A30B-4717-A573-4511BB05F6AC}"=-

Double click on fix.reg and allow to add/merge to the registry at the prompt

Reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Load AVG Anti-Spyware 7.5
  • Click on the Scanner tab at the top
       
  • Cick on Complete System Scan.
    This scan can take a while to run, let it run uninterrupted
     
  • When the scan is complete it will list any infections found on the left hand side.
  • Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
     
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file  (like on the Desktop).
I will need to see this log later

Restart the computer back to Normal windows

Back in Windows
Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back the following
1. Post the log from Combofix
2. Post a fresh hijackthis log
3. Post the Whole report from AVG-Antispyware
4. Post the text file from dss.exe also
« Last Edit: May 24, 2007, 10:36:30 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #8 on: May 25, 2007, 06:08:19 PM »
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1. Combofix Log.

"Erik Halbert" - 26/05/2007  8:49:45    Service Pack 4  
ComboFix 07-05.26.V - Running from: "C:\Documents and Settings\Erik Halbert\Desktop\"


((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\install.log"


(((((((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_GB
-------\LEGACY_LDRSVC
-------\LEGACY_WINDBG48
-------\gb
-------\nm
-------\windbg48


(((((((((((((((((((((((((((((((   Files Created from 2007-04-05 to 2007-05-26  ))))))))))))))))))))))))))))))))))


2007-05-26 09:00 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_854.dat
2007-05-26 09:00 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_278.dat
2007-05-25 22:40 465,678 --a------ C:\dss.exe
2007-05-25 18:37 <DIR> d-------- C:\DOCUME~1\ERIKHA~1\APPLIC~1\NewzToolz
2007-05-25 18:36 <DIR> d-------- C:\Program Files\NewzToolz
2007-05-25 09:25 16,384 --a------ C:\WINNT\system32\FileOps.exe
2007-05-24 23:22 <DIR> d-a------ C:\WINNT\system32\appmgmt
2007-05-24 22:41 <DIR> d-------- C:\WINNT\Corel
2007-05-24 20:38 <DIR> d-------- C:\Deckard
2007-05-23 21:14 53,248 --a------ C:\WINNT\system32\Process.exe
2007-05-23 18:48 <DIR> d-------- C:\VundoFix Backups
2007-05-23 16:50 95,232 --a------ C:\WINNT\system32\Lfkodak.dll
2007-05-23 16:50 93,184 --a------ C:\WINNT\system32\lftif70n.dll
2007-05-23 16:50 93,184 --a------ C:\WINNT\system32\hpsjvset.dll
2007-05-23 16:50 928 --a------ C:\WINNT\system32\hpsj1695.dll
2007-05-23 16:50 669,696 --a------ C:\WINNT\system32\ipeistor11.dll
2007-05-23 16:50 66,560 --a------ C:\WINNT\system32\ipeapi11.dll
2007-05-23 16:50 55,808 --a------ C:\WINNT\system32\lffax70n.dll
2007-05-23 16:50 55,296 --a------ C:\WINNT\system32\ltfil70n.DLL
2007-05-23 16:50 350,208 --a------ C:\WINNT\system32\ltkrn70n.dll
2007-05-23 16:50 35,328 --a------ C:\WINNT\system32\lffpx70n.dll
2007-05-23 16:50 324,608 --a------ C:\WINNT\system32\ipebase11.dll
2007-05-23 16:50 32,768 --a------ C:\WINNT\system32\lfgif70n.dll
2007-05-23 16:50 306,688 --a------ C:\WINNT\system32\Lffpx7.dll
2007-05-23 16:50 30,720 --a------ C:\WINNT\system32\hpsmui.dll
2007-05-23 16:50 24,576 --a------ C:\WINNT\system32\lfpcx70n.dll
2007-05-23 16:50 24,576 --a------ C:\WINNT\system32\lfbmp70n.dll
2007-05-23 16:50 224,768 --a------ C:\WINNT\system32\LFCMP70n.DLL
2007-05-23 16:50 111,104 --a------ C:\WINNT\system32\lfpng70n.dll
2007-05-23 16:50 <DIR> d-------- C:\WINNT\system32\Iosubsys
2007-05-23 16:50 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-05-23 16:49 312,323 --a------ C:\WINNT\IsUn040a.exe
2007-05-23 16:49 <DIR> d-------- C:\sj662
2007-05-22 18:47 57,344 --a------ C:\WINNT\uneng.exe
2007-05-22 18:46 81,408 --a------ C:\WINNT\system32\logagent.exe
2007-05-22 14:57 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-05-22 13:31 <DIR> d-------- C:\HJT
2007-05-22 12:57 90,112 --------- C:\WINNT\SDUnInst.exe
2007-05-22 11:18 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-05-22 11:18 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-05-21 23:39 <DIR> d-------- C:\WINNT\Content.IE5
2007-05-21 19:22 24,128 --a------ C:\WINNT\system32\drivers\sskbfd.sys
2007-05-21 19:22 22,080 --a------ C:\WINNT\system32\drivers\sshrmd.sys
2007-05-21 19:22 20,544 --a------ C:\WINNT\system32\drivers\SSFS0BB8.sys
2007-05-21 19:22 158,784 --a------ C:\WINNT\system32\drivers\ssidrv.sys
2007-05-21 19:22 1,515,584 --a------ C:\WINNT\WRSetup.dll
2007-05-21 19:22 <DIR> d-------- C:\Program Files\Webroot
2007-05-21 19:22 <DIR> d-------- C:\DOCUME~1\ERIKHA~1\APPLIC~1\Webroot
2007-05-21 19:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-21 19:10 164 --a------ C:\install.dat
2007-05-20 23:19 <DIR> d-------- C:\Program Files\Contacts Express
2007-05-20 19:56 <DIR> d-------- C:\{800186A2-0000-0000-42B1-6931FF534416}
2007-05-20 19:56 <DIR> d-------- C:\{800011F0-0000-0000-C19F-B3DADF7CDA58}
2007-05-20 17:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-20 16:51 3,968 --a------ C:\WINNT\system32\drivers\AvgArCln.sys
2007-05-20 15:34 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-05-11 08:38 <DIR> d-------- C:\Program Files\Open Contacts
2007-05-10 18:50 <DIR> d-------- C:\Program Files\Software by Design
2007-05-10 07:30 724,429 --a------ C:\WINNT\system32\dfl1z32.dll
2007-05-09 22:37 <DIR> d-------- C:\Program Files\EssentialPIM
2007-05-09 22:37 <DIR> d-------- C:\DOCUME~1\ERIKHA~1\APPLIC~1\EssentialPIM
2007-05-09 14:30 3,354 --a------ C:\WINNT\system32\tmp.reg
2007-05-09 13:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-09 08:06 995,056 --a------ C:\WINNT\system32\msajt200.dll
2007-05-09 08:06 910,848 --a------ C:\WINNT\system32\crpe.dll
2007-05-09 08:06 71,696 --a------ C:\WINNT\system32\pdirjet.dll
2007-05-09 08:06 398,416 --a------ C:\WINNT\system32\vbrun300.dll
2007-05-09 08:06 17,440 --a------ C:\WINNT\system32\msajt112.dll
2007-05-09 08:06 101,904 --a------ C:\WINNT\system32\pdbjet.dll
2007-05-09 08:06 <DIR> d-------- C:\Program Files\Manage Your Contacts
2007-05-08 18:20 <DIR> d-------- C:\Program Files\jv16 PowerTools
2007-05-07 22:20 <DIR> d-------- C:\Program Files\SmartDB_V34
2007-05-07 18:28 31,232 --a------ C:\WINNT\system32\28155622ld.exe
2007-05-07 18:18 31,232 --a------ C:\WINNT\system32\18261092ld.exe
2007-05-07 17:58 31,232 --a------ C:\WINNT\system32\58204682ld.exe
2007-05-07 17:38 31,232 --a------ C:\WINNT\system32\38534372ld.exe
2007-05-07 17:20 31,232 --a------ C:\WINNT\system32\2016152ld.exe
2007-05-06 22:03 <DIR> d-------- C:\dbworx
2007-05-04 10:35 <DIR> d-------- C:\Program Files\WinPIM
2007-05-03 18:51 <DIR> d-------- C:\Program Files\RegistryFix
2007-05-03 13:44 <DIR> d-------- C:\Program Files\Uniblue
2007-05-03 10:28 <DIR> d-------- C:\DOCUME~1\ERIKHA~1\APPLIC~1\CDBurnerXPP
2007-05-03 10:16 <DIR> d-------- C:\Program Files\CDBurnerXP
2007-05-02 01:01 <DIR> d-------- C:\Program Files\TreeDBNotes
2007-04-30 23:49 <DIR> d-------- C:\Program Files\BiblioExpress
2007-04-30 23:45 <DIR> d-------- C:\Program Files\BiblioExpress 3
2007-04-26 22:26 <DIR> d-------- C:\Program Files\Registrar Lite
2007-04-26 20:56 <DIR> d-------- C:\Program Files\Wise Disk Cleaner
2007-04-26 20:53 <DIR> d-------- C:\Program Files\Wise Registry Cleaner


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-24 12:51:40 -------- d-----w C:\Program Files\Corel
2007-05-24 12:46:27 -------- d-----w C:\DOCUME~1\ERIKHA~1\APPLIC~1\Corel
2007-05-23 06:51:06 1,480 ----a-w C:\WINNT\AUTOLNCH.REG
2007-05-22 12:17:58 -------- d-----w C:\Program Files\a-squared Free
2007-05-22 08:47:01 -------- d-----w C:\Program Files\Common Files\Adaptec Shared
2007-05-22 02:12:59 -------- d-----w C:\Program Files\Yahoo!
2007-05-21 23:27:22 -------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2007-05-20 12:49:32 -------- d-----w C:\Program Files\7-Zip
2007-05-20 12:49:21 -------- d-----w C:\Program Files\Apple Software Update
2007-05-20 12:48:54 -------- d-----w C:\Program Files\Family Tree Legends
2007-05-20 12:48:51 -------- d-----w C:\Program Files\ffdshow
2007-05-20 12:48:42 -------- d-----w C:\Program Files\gs
2007-05-20 12:48:40 -------- d-----w C:\Program Files\Intel Desktop Board Audio Driver
2007-05-20 12:48:19 -------- d-----w C:\Program Files\Kalender
2007-05-20 12:48:15 -------- d-----w C:\Program Files\QuickTime
2007-05-20 12:48:15 -------- d-----w C:\Program Files\On Station
2007-05-20 12:48:04 -------- d-----w C:\Program Files\RegScrubXP
2007-05-20 12:48:00 -------- d-----w C:\Program Files\tinySpell
2007-05-20 12:47:53 -------- d-----w C:\Program Files\Windows NT
2007-05-16 00:57:45 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-11 22:50:36 -------- d-----w C:\DOCUME~1\ERIKHA~1\APPLIC~1\UK's Kalender
2007-05-08 07:03:22 -------- d-----w C:\Program Files\Common Files\Art Plus Uninstall
2007-05-08 01:52:37 -------- d-----w C:\Program Files\TreePadLite
2007-05-06 22:33:39 -------- d-----w C:\Program Files\HDD Thermometer
2007-05-03 03:44:24 -------- d-----w C:\DOCUME~1\ERIKHA~1\APPLIC~1\Uniblue
2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AVASTSS.scr
2007-04-27 02:11:52 -------- d-----w C:\DOCUME~1\ERIKHA~1\APPLIC~1\gtk-2.0
2007-04-26 11:05:54 -------- d-----w C:\Program Files\Atlantis Nova
2007-04-26 11:05:41 -------- d-----w C:\Program Files\WinCAPS
2007-04-19 04:08:23 -------- d-----w C:\Program Files\Micro-Sys Software
2007-04-11 07:33:46 -------- d-----w C:\Program Files\Ghostgum
2007-04-11 04:05:22 -------- d-----w C:\Program Files\FastStone Capture
2007-04-09 03:51:29 -------- d-----w C:\DOCUME~1\ERIKHA~1\APPLIC~1\MailFrontier
2007-04-06 04:40:52 -------- d-----w C:\Program Files\ScreenPrint32 v3
2007-04-06 04:40:23 249,856 ------w C:\WINNT\Setup1.exe
2007-04-05 07:17:39 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-04-03 00:25:23 4,212 ---h--w C:\WINNT\system32\zllictbl.dat
2007-04-02 07:16:35 -------- d-----w C:\DOCUME~1\ERIKHA~1\APPLIC~1\ACD Systems
2007-04-02 03:29:51 -------- d-----w C:\Program Files\Common Files\ACD Systems
2007-04-02 03:29:47 -------- d-----w C:\Program Files\ACD Systems
2007-03-15 02:23:16 497,496 ----a-w C:\WINNT\system32\XceedZip.dll
2007-03-15 02:19:58 526,184 ----a-w C:\WINNT\system32\XceedCry.dll
2007-03-13 09:44:49 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL
2007-03-08 14:01:42 1,087,216 ----a-w C:\WINNT\system32\zpeng24.dll
2007-03-06 11:17:48 381,200 ----a-w C:\WINNT\system32\USER32.DLL
2007-03-06 11:17:46 38,160 ----a-w C:\WINNT\system32\mf3216.dll
2007-03-06 11:17:46 235,280 ----a-w C:\WINNT\system32\GDI32.DLL
2007-03-06 06:12:21 1,641,936 ----a-w C:\WINNT\system32\WIN32K.SYS


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [06-12-18 03:16 ]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [07-01-19 22:55 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 05:05  C:\WINNT\system32\mobsync.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [04-07-27 12:48 ]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [04-08-06 07:27 ]
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [04-09-06 12:50 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-05-01 01:42 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06-12-18 20:03 ]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [05-05-02 20:21 ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07-05-17 10:12 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-09-01 14:57 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 00:02 ]
"NvCplDaemon"="RUNDLL32.exe" [01-05-08 22:00  C:\WINNT\system32\rundll32.exe]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [06-08-20 20:48 ]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [98-11-24 02:00 ]
"Corel Reminder"="C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe" [00-10-05 02:23 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09  C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [07-01-27 16:43 ]
"EssentialPIM"="C:\Program Files\EssentialPIM\EssentialPIM.exe" [06-11-20 23:44 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [06-09-29 00:13 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
WmdmPmSN
 
*Newly Created Service* -IPNAT


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070524-113945-650
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINNT\system32\dssdll32.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{280A7B65-8F00-438F-3E5A-1F039433FE60}]

[HKEY_CLASSES_ROOT\CLSID\{280A7B65-8F00-438F-3E5A-1F039433FE60}\InprocServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,73,00,\
  73,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

 

backup-20070524-113945-558
O2 - BHO: (no name) - {00147984-D416-4103-BA98-5313159EE782} - C:\WINNT\system32\epjclmql.dll (file missing)

backup-20070524-113945-475
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

backup-20070524-113945-255
O2 - BHO: (no name) - {9D20197E-B1C6-490B-BEB9-833851449936} - C:\WINNT\system32\vtsqo.dll (file missing)
********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-26 09:00:55
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 2007-05-26  9:03:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-26 09:02

 --- E O F ---
((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\install.log"


(((((((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_GB
-------\LEGACY_LDRSVC
-------\LEGACY_WINDBG48
-------\gb
-------\nm
-------\windbg48


(((((((((((((((((((((((((((((((   Files Created from 26/0-01-07 to 26/05/2007  ))))))))))))))))))))))))))))))))))

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2.
Logged

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #9 on: May 25, 2007, 06:23:11 PM »
Note:

The only problem was when I ran Combo.fix. After five minutes the program seemed finished and I went to look for C:\profiles\install.log. (I thought that was the final log txt).
An error message came up saying that the registry size was too small and then the system rebooted, and said it was preparing c:combofix.txt. Apart from that, things went as expected, and the files follow.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2.  Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 9:13:45 AM, on 26/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\ComboFix\10397.cfexe
C:\WINNT\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IMONTRAY] "C:\Program Files\Intel\Intel® Active Monitor\imontray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe"
O4 - HKLM\..\Run: [Corel Reminder] "C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Program Files\Corel\Graphics10\Register\NavLoad.ini"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EssentialPIM] "C:\Program Files\EssentialPIM\EssentialPIM.exe" /autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164633796468
O17 - HKLM\System\CCS\Services\Tcpip\..\{E268C38B-2F85-40EC-8865-249169241F28}: NameServer = 203.23.236.66,203.23.236.69
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


3. AVG Antispyware log.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at: 7:15:38 AM 26/05/2007

 + Scan result:

 

C:\VundoFix Backups\byxurqq.dll.bad -> Adware.Virtumonde : Cleaned.
C:\VundoFix Backups\jkklmkk.dll.bad -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik halbert@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"][email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"]halbert@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik [email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"]halbert@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"]halbert@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik [email protected][1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"]halbert@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik halbert@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"][email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"][email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik halbert@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"][email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"][email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Erik Halbert\Cookies\erik .txt"]halbert@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

4. dss.exe text file.

DAFT Log saved on 2007-05-25 22:43:38
-----------------------------------------------------------------------
All associations okay!


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Smitfraud and incessant popups.
« Reply #10 on: May 25, 2007, 09:44:24 PM »
Quote
The only problem was when I ran Combo.fix. After five minutes the program seemed finished
When you run combofix, it does advise that it could take up to 10 minutes or twice as long to run
Can you do the following, it seems like it ran to completion
But run it again, even if it appears nothing is happening, give it up to 15 minutes to complete and a log to open

Post back a new log

Also, there are a few files in your dss log I didn't recognize
C:\WINNT\system32\28155622ld.exe
C:\WINNT\system32\18261092ld.exe
C:\WINNT\system32\58204682ld.exe
C:\WINNT\system32\38534372ld.exe
C:\WINNT\system32\2016152ld.exe
Can you do me a favor
Scan at lease 2, or all of them
Can you go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive

Right click on the file,  and choose Select>>or double click on it
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
How are things running on your end?
« Last Edit: May 25, 2007, 10:08:20 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #11 on: May 25, 2007, 11:04:07 PM »
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Note:
This time ComboFix ran through smoothly and produced a log file in about three minutes. I have attached the file and will do the other checks in a short while.
Erik


"Erik Halbert" - 26/05/2007 13:56:20    Service Pack 4  
ComboFix 07-05.26.V - Running from: "C:\Documents and Settings\Erik Halbert\Desktop\"


(((((((((((((((((((((((((((((((   Files Created from 26/0-01-07 to 26/05/2007  ))))))))))))))))))))))))))))))))))


No new files created in this timespan


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [18/12/06 03:16a]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [19/01/07 10:55p]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [20/06/03 05:05a C:\WINNT\system32\mobsync.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [27/07/04 12:48p]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [06/08/04 07:27a]
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [06/09/04 12:50p]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [01/05/07 01:42a]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [18/12/06 08:03p]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [02/05/05 08:21p]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [17/05/07 10:12a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/09/06 02:57p]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/03/07 12:02a]
"NvCplDaemon"="RUNDLL32.exe" [08/05/01 10:00p C:\WINNT\system32\rundll32.exe]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [20/08/06 08:48p]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [24/11/98 02:00a]
"Corel Reminder"="C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe" [05/10/00 02:23a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [20/02/01 12:09p C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [27/01/07 04:43p]
"EssentialPIM"="C:\Program Files\EssentialPIM\EssentialPIM.exe" [20/11/06 11:44p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [29/09/06 12:13a]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
WmdmPmSN
 
*Newly Created Service* -IPNAT
*Newly Created Service* -RASAUTO

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-26 13:58:27
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 26/05/2007 13:59:15
C:\ComboFix-quarantined-files.txt ... 26/05/07 01:59p
C:\ComboFix2.txt ... 26/05/07 09:05a

 --- E O F ---
Logged

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #12 on: May 26, 2007, 12:37:46 AM »
Notes:
Hi there, I tested all of the files in both of the websites and attach the results. Loks like the files are all the same since the file sizes are identical and the scans are similar??

With respect to general operation. My machine sems very much cleaner. Pop-ups are now absent and the random freezing and rebooting do not occur now. I have not done a check with Spybot to see if it still shows Smitfraud. However, I will do that soon and I'll be surprised if it it is still there.

Erik

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1  <script language=javascript type=text/javascript>document.getElementById('javascriptwarning').innerHTML=''; File to upload & scan:         Service Service load: 0%     100% File: 28155622ld.exe Status: [color=\"red\"]INFECTED/MALWARE[/color] MD5 c962e5a7a1406d48b3292a342210c573 Packers detected: -<script type=text/javascript> <script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type=text/javascript> Scanner results Scan taken on 26 May 2007 04:10:50 (GMT) A-Squared Found nothingAntiVir Found TR/Proxy.Dlena.CQ.4 ArcaVir Found nothingAvast Found nothingAVG Antivirus Found Proxy.NJQ BitDefender Found Worm.P2P.AB ClamAV Found nothingDr.Web Found nothingF-Prot Antivirus Found nothingF-Secure Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq Fortinet Found nothingKaspersky Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq NOD32 Found Win32/TrojanProxy.Dlena Norman Virus Control Found nothingPanda Antivirus Found nothingRising Antivirus Found nothingVirusBuster Found nothingvb script:void(0)"]Feedback[/url] - Privacy policy

   

Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <[email protected]> <script language=javascript type=text/javascript> serverbusy = false; function check_if_busy(time) { time = time - 1000; if (time <= 0) { xmlhttp.open("GET", "psv/getload.php", true); xmlhttp.onreadystatechange = verify_if_busy; xmlhttp.send(null); } else { if (!statusset) { if (serverbusy) { document.getElementById('status').innerHTML = 'The server is extremely busy at the moment, please wait (retrying in ' +time / 1000 + ' seconds)...'; } else { document.getElementById('status').innerHTML = 'Ready for scan'; } } setTimeout("check_if_busy(" + time + ")", 1000); } } function verify_if_busy() { if (xmlhttp.readyState == 4) { var response = parseInt(xmlhttp.responseText); setloadgraph(response); if (response >= 100) { set_busy(); check_if_busy(30000); } else { set_ready(); check_if_busy(30000); } } } function setloadgraph(percentage) { percentage = percentage * 2; if (percentage > 100) { percentage = 100; } var load = parseInt(percentage * 2); var load2 = parseInt(200 - load); if (load2 < 1) { // bloody IE load2 = 1; } if (percentage < 50) { var weight = '#00ff00'; } else if (percentage < 75) { var weight = '#ffff00'; } else { var weight = '#ff0000'; } document.getElementById('loadleft').style.background = weight; document.getElementById('loadleft').width = load; document.getElementById('loadright').width = load2; } function set_busy() { serverbusy = true; document.getElementById('submitbutton').disabled = true; } function set_ready() { serverbusy = false; document.getElementById('submitbutton').disabled = false; } <script language=javascript>document.getElementById('scannera2').innerHTML='Found nothing'; <script language=javascript>document.getElementById('scannerantivir').innerHTML='Found TR/Proxy.Dlena.CQ.4 '; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerarcavir').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scanneravast').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scanneravg').innerHTML='Found Proxy.NJQ '; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerbitdefender').innerHTML='Found Worm.P2P.AB '; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerclamav').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerdrweb').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerf-prot').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerf-secure').innerHTML='Found Trojan-Proxy.Win32.Dlena.cq '; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerfortinet').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerkav').innerHTML='Found Trojan-Proxy.Win32.Dlena.cq '; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannernod32').innerHTML='Found Win32/TrojanProxy.Dlena '; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannernorman').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerpanda').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannerrising').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannervb').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('scannervba32').innerHTML='Found nothing'; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('status').innerHTML='[color=\"#00ed00\"]INFECTED/MALWARE[/color] '; <script language=javascript>document.getElementById('packers').innerHTML='-'; <script language=javascript>document.getElementById('submitbutton').disabled = false;

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++

File: 18261092ld.exe Status: [color=\"red\"]INFECTED/MALWARE[/color] (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 c962e5a7a1406d48b3292a342210c573 Packers detected: -<script type=text/javascript> <script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type=text/javascript> Scanner results Scan taken on 26 May 2007 04:19:35 (GMT) A-Squared Found nothingAntiVir Found TR/Proxy.Dlena.CQ.4 ArcaVir Found nothingAvast Found nothingAVG Antivirus Found Proxy.NJQ BitDefender Found Worm.P2P.AB ClamAV Found nothingDr.Web Found nothingF-Prot Antivirus Found nothingF-Secure Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq Fortinet Found nothingKaspersky Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq NOD32 Found Win32/TrojanProxy.Dlena Norman Virus Control Found nothingPanda Antivirus Found nothingRising Antivirus Found nothingVirusBuster Found nothingVBA32 Found nothing+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++

Service load: 0%     100% File: 58204682ld.exe Status: [color=\"red\"]INFECTED/MALWARE[/color] (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 c962e5a7a1406d48b3292a342210c573 Packers detected: -<script type=text/javascript> <script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type=text/javascript> Scanner results Scan taken on 26 May 2007 04:23:33 (GMT) A-Squared Found nothingAntiVir Found TR/Proxy.Dlena.CQ.4 ArcaVir Found nothingAvast Found nothingAVG Antivirus Found Proxy.NJQ BitDefender Found Worm.P2P.AB ClamAV Found nothingDr.Web Found nothingF-Prot Antivirus Found nothingF-Secure Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq Fortinet Found nothingKaspersky Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq NOD32 Found Win32/TrojanProxy.Dlena Norman Virus Control Found nothingPanda Antivirus Found nothingRising Antivirus Found nothingVirusBuster Found nothingVBA32 Found nothing+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++

Service load: 0%     100% File: 38534372ld.exe Status: [color=\"red\"]INFECTED/MALWARE[/color] (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 c962e5a7a1406d48b3292a342210c573 Packers detected: -<script type=text/javascript> <script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type=text/javascript> Scanner results Scan taken on 26 May 2007 04:26:19 (GMT) A-Squared Found nothingAntiVir Found TR/Proxy.Dlena.CQ.4 ArcaVir Found nothingAvast Found nothingAVG Antivirus Found Proxy.NJQ BitDefender Found Worm.P2P.AB ClamAV Found nothingDr.Web Found nothingF-Prot Antivirus Found nothingF-Secure Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq Fortinet Found nothingKaspersky Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq NOD32 Found Win32/TrojanProxy.Dlena Norman Virus Control Found nothingPanda Antivirus Found nothingRising Antivirus Found nothingVirusBuster Found nothingVBA32 Found nothing+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++

Service load: 0%     100% File: 2016152ld.exe Status: [color=\"red\"]INFECTED/MALWARE[/color] (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 c962e5a7a1406d48b3292a342210c573 Packers detected: -<script type=text/javascript> <script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type=text/javascript> Scanner results Scan taken on 26 May 2007 04:28:13 (GMT) A-Squared Found nothingAntiVir Found TR/Proxy.Dlena.CQ.4 ArcaVir Found nothingAvast Found nothingAVG Antivirus Found Proxy.NJQ BitDefender Found Worm.P2P.AB ClamAV Found nothingDr.Web Found nothingF-Prot Antivirus Found nothingF-Secure Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq Fortinet Found nothingKaspersky Anti-Virus Found Trojan-Proxy.Win32.Dlena.cq NOD32 Found Win32/TrojanProxy.Dlena Norman Virus Control Found nothingPanda Antivirus Found nothingRising Antivirus Found nothingVirusBuster Found nothingVBA32 Found nothing+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

STATUS: FINISHEDComplete scanning result of "28155622ld.exe", received in VirusTotal at 05.26.2007, 06:33:56 (CET).

AntivirusVersionUpdateResultAhnLab-V32007.5.24.005.25.2007Win-Trojan/Dlena.31232.LAntiVir7.4.0.2705.25.2007TR/Proxy.Dlena.CQ.4Authentium4.93.805.23.2007 no virus foundAvast4.7.997.005.25.2007 no virus foundAVG7.5.0.46705.25.2007Proxy.NJQBitDefender7.205.26.2007Worm.P2P.ABCAT-QuickHeal9.0005.25.2007TrojanProxy.Dlena.cqClamAVdevel-2007041605.25.2007 no virus foundDrWeb4.3305.25.2007 no virus foundeSafe7.0.15.005.24.2007suspicious Trojan/WormeTrust-Vet30.7.366505.26.2007 no virus foundEwido4.005.25.2007 no virus foundFileAdvisor105.26.2007 no virus foundFortinet2.85.0.005.26.2007suspiciousF-Prot4.3.2.4805.25.2007 no virus foundF-Secure6.70.13030.005.25.2007Trojan-Proxy.Win32.Dlena.cqIkarusT3.1.1.805.25.2007 no virus foundKaspersky4.0.2.2405.26.2007Trojan-Proxy.Win32.Dlena.cqMcAfee503905.25.2007 no virus foundMicrosoft1.250305.26.2007 no virus foundNOD32v2229205.25.2007Win32/TrojanProxy.DlenaNorman5.80.0205.25.2007 no virus foundPanda9.0.0.405.25.2007 no virus foundPrevx1V205.26.2007Trojan.RPCC.PayloadSophos4.18.005.25.2007 no virus foundSunbelt2.2.907.005.24.2007VIPRE.SuspiciousSymantec1005.26.2007Trojan.Packed
.9TheHacker6.1.6.12305.25.2007 no virus foundVBA323.12.005.26.2007 no virus foundVirusBuster4.3.23:905.25.2007 no virus foundWebwasher-Gateway6.0.105.26.2007Trojan.Proxy.Dlena.CQ.4

Aditional InformationFile size: 31232 bytesMD5: c962e5a7a1406d48b3292a342210c573SHA1: 950c4e159c66aab7a32eb24a899a5a6b465b6d55Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC...94043842Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++

STATUS: FINISHEDComplete scanning result of "18261092ld.exe", received in VirusTotal at 05.26.2007, 06:40:32 (CET).

AntivirusVersionUpdateResultAhnLab-V32007.5.24.005.25.2007Win-Trojan/Dlena.31232.LAntiVir7.4.0.2705.25.2007TR/Proxy.Dlena.CQ.4Authentium4.93.805.23.2007 no virus foundAvast4.7.997.005.25.2007 no virus foundAVG7.5.0.46705.25.2007Proxy.NJQBitDefender7.205.26.2007Worm.P2P.ABCAT-QuickHeal9.0005.25.2007TrojanProxy.Dlena.cqClamAVdevel-2007041605.25.2007 no virus foundDrWeb4.3305.25.2007 no virus foundeSafe7.0.15.005.24.2007suspicious Trojan/WormeTrust-Vet30.7.366505.26.2007 no virus foundEwido4.005.25.2007 no virus foundFileAdvisor105.26.2007 no virus foundFortinet2.85.0.005.26.2007suspiciousF-Prot4.3.2.4805.25.2007 no virus foundF-Secure6.70.13030.005.25.2007Trojan-Proxy.Win32.Dlena.cqIkarusT3.1.1.805.26.2007 no virus foundKaspersky4.0.2.2405.26.2007Trojan-Proxy.Win32.Dlena.cqMcAfee503905.25.2007 no virus foundMicrosoft1.250305.26.2007 no virus foundNOD32v2229205.25.2007Win32/TrojanProxy.DlenaNorman5.80.0205.25.2007 no virus foundPanda9.0.0.405.25.2007 no virus foundPrevx1V205.26.2007Trojan.RPCC.PayloadSophos4.18.005.25.2007 no virus foundSunbelt2.2.907.005.24.2007VIPRE.SuspiciousSymantec1005.26.2007Trojan.Packed
.9TheHacker6.1.6.12305.25.2007 no virus foundVBA323.12.005.26.2007 no virus foundVirusBuster4.3.23:905.25.2007 no virus foundWebwasher-Gateway6.0.105.26.2007Trojan.Proxy.Dlena.CQ.4

Aditional InformationFile size: 31232 bytesMD5: c962e5a7a1406d48b3292a342210c573SHA1: 950c4e159c66aab7a32eb24a899a5a6b465b6d55Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC...94043842Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++


VirusTotal

VirusTotal is a free file analisys service that works using several antivirus engines.


          Select file :             DistributeSSL

          Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.<H3 class=nod>Menu:</H3>
    <LI id=menu_noticias_en>
News Hot news in the virus/antivirus sector. <LI id=menu_estadisticas_en>Estadisticas Statistics of VirusTotal procesing.
<script type=text/javascript> function openit(donde) { parent.win_handle = window.open(donde,'image','width=520,height=350,top=10,left=10,scrollbars=no'); parent.win_handle.focus(); return false; } STATUS: FINISHEDComplete scanning result of "58204682ld.exe", received in VirusTotal at 05.26.2007, 06:47:25 (CET).

AntivirusVersionUpdateResultAhnLab-V32007.5.24.005.25.2007Win-Trojan/Dlena.31232.LAntiVir7.4.0.2705.25.2007TR/Proxy.Dlena.CQ.4Authentium4.93.805.23.2007 no virus foundAvast4.7.997.005.25.2007 no virus foundAVG7.5.0.46705.25.2007Proxy.NJQBitDefender7.205.26.2007Worm.P2P.ABCAT-QuickHeal9.0005.25.2007TrojanProxy.Dlena.cqClamAVdevel-2007041605.25.2007 no virus foundDrWeb4.3305.25.2007 no virus foundeSafe7.0.15.005.24.2007suspicious Trojan/WormeTrust-Vet30.7.366505.26.2007 no virus foundEwido4.005.25.2007 no virus foundFileAdvisor105.26.2007 no virus foundFortinet2.85.0.005.26.2007suspiciousF-Prot4.3.2.4805.25.2007 no virus foundF-Secure6.70.13030.005.25.2007Trojan-Proxy.Win32.Dlena.cqIkarusT3.1.1.805.26.2007 no virus foundKaspersky4.0.2.2405.26.2007Trojan-Proxy.Win32.Dlena.cqMcAfee503905.25.2007 no virus foundMicrosoft1.250305.26.2007 no virus foundNOD32v2229205.25.2007Win32/TrojanProxy.DlenaNorman5.80.0205.25.2007 no virus foundPanda9.0.0.405.25.2007 no virus foundPrevx1V205.26.2007Trojan.RPCC.PayloadSophos4.18.005.25.2007 no virus foundSunbelt2.2.907.005.24.2007VIPRE.SuspiciousSymantec1005.26.2007Trojan.Packed
.9TheHacker6.1.6.12305.25.2007 no virus foundVBA323.12.005.26.2007 no virus foundVirusBuster4.3.23:905.25.2007 no virus foundWebwasher-Gateway6.0.105.26.2007Trojan.Proxy.Dlena.CQ.4

Aditional InformationFile size: 31232 bytesMD5: c962e5a7a1406d48b3292a342210c573SHA1: 950c4e159c66aab7a32eb24a899a5a6b465b6d55Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC...94043842Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.<script src="/en/resultado.js" type=text/javascript>  <script type=text/javascript>gt2('virustotal.com','info','Contactar'); +++++++++++++++++++++++++++++++++++++++++++++++++++++++++

STATUS: FINISHEDComplete scanning result of "38534372ld.exe", received in VirusTotal at 05.26.2007, 06:54:37 (CET).

AntivirusVersionUpdateResultAhnLab-V32007.5.24.005.25.2007Win-Trojan/Dlena.31232.LAntiVir7.4.0.2705.25.2007TR/Proxy.Dlena.CQ.4Authentium4.93.805.23.2007 no virus foundAvast4.7.997.005.25.2007 no virus foundAVG7.5.0.46705.25.2007Proxy.NJQBitDefender7.205.26.2007Worm.P2P.ABCAT-QuickHeal9.0005.25.2007TrojanProxy.Dlena.cqClamAVdevel-2007041605.25.2007 no virus foundDrWeb4.3305.25.2007 no virus foundeSafe7.0.15.005.24.2007suspicious Trojan/WormeTrust-Vet30.7.366505.26.2007 no virus foundEwido4.005.25.2007 no virus foundFileAdvisor105.26.2007 no virus foundFortinet2.85.0.005.26.2007suspiciousF-Prot4.3.2.4805.25.2007 no virus foundF-Secure6.70.13030.005.25.2007Trojan-Proxy.Win32.Dlena.cqIkarusT3.1.1.805.26.2007 no virus foundKaspersky4.0.2.2405.26.2007Trojan-Proxy.Win32.Dlena.cqMcAfee503905.25.2007 no virus foundMicrosoft1.250305.26.2007 no virus foundNOD32v2229205.25.2007Win32/TrojanProxy.DlenaNorman5.80.0205.25.2007 no virus foundPanda9.0.0.405.25.2007 no virus foundPrevx1V205.26.2007Trojan.RPCC.PayloadSophos4.18.005.25.2007 no virus foundSunbelt2.2.907.005.24.2007VIPRE.SuspiciousSymantec1005.26.2007Trojan.Packed
.9TheHacker6.1.6.12305.25.2007 no virus foundVBA323.12.005.26.2007 no virus foundVirusBuster4.3.23:905.25.2007 no virus foundWebwasher-Gateway6.0.105.26.2007Trojan.Proxy.Dlena.CQ.4

Aditional InformationFile size: 31232 bytesMD5: c962e5a7a1406d48b3292a342210c573SHA1: 950c4e159c66aab7a32eb24a899a5a6b465b6d55Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC...94043842Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

STATUS: FINISHEDComplete scanning result of "2016152ld.exe", received in VirusTotal at 05.26.2007, 07:20:36 (CET).

AntivirusVersionUpdateResultAhnLab-V32007.5.24.005.25.2007Win-Trojan/Dlena.31232.LAntiVir7.4.0.2705.25.2007TR/Proxy.Dlena.CQ.4Authentium4.93.805.23.2007 no virus foundAvast4.7.997.005.25.2007 no virus foundAVG7.5.0.46705.25.2007Proxy.NJQBitDefender7.205.26.2007Worm.P2P.ABCAT-QuickHeal9.0005.25.2007TrojanProxy.Dlena.cqClamAVdevel-2007041605.25.2007 no virus foundDrWeb4.3305.25.2007 no virus foundeSafe7.0.15.005.24.2007suspicious Trojan/WormeTrust-Vet30.7.366505.26.2007 no virus foundEwido4.005.25.2007 no virus foundFileAdvisor105.26.2007 no virus foundFortinet2.85.0.005.26.2007suspiciousF-Prot4.3.2.4805.25.2007 no virus foundF-Secure6.70.13030.005.25.2007Trojan-Proxy.Win32.Dlena.cqIkarusT3.1.1.805.26.2007 no virus foundKaspersky4.0.2.2405.26.2007Trojan-Proxy.Win32.Dlena.cqMcAfee503905.25.2007 no virus foundMicrosoft1.250305.26.2007 no virus foundNOD32v2229205.25.2007Win32/TrojanProxy.DlenaNorman5.80.0205.25.2007 no virus foundPanda9.0.0.405.25.2007 no virus foundPrevx1V205.26.2007Trojan.RPCC.PayloadSophos4.18.005.25.2007 no virus foundSunbelt2.2.907.005.24.2007VIPRE.SuspiciousSymantec1005.26.2007Trojan.Packed
.9TheHacker6.1.6.12305.25.2007 no virus foundVBA323.12.005.26.2007 no virus foundVirusBuster4.3.23:905.25.2007 no virus foundWebwasher-Gateway6.0.105.26.2007Trojan.Proxy.Dlena.CQ.4

Aditional InformationFile size: 31232 bytesMD5: c962e5a7a1406d48b3292a342210c573SHA1: 950c4e159c66aab7a32eb24a899a5a6b465b6d55Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC...94043842Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++<script type=text/javascript> fixLinea();
Logged

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #13 on: May 26, 2007, 01:15:34 AM »
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hi there,
Yikes. I just ran Spybot S&D and found the following:

[font=\"Times New Roman\"]--- Search result list ---[/font]

[font=\"Times New Roman\"]MediaPlex: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Adviva: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Smitfraud-C.Toolbar888: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Winsoftware: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]SystemDoctor2006: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]CasaleMedia: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]SystemDoctor2006: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]WebTrends live: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]DoubleClick: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Winsoftware: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Clickbank: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]TagASaurus: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Winsoftware: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]HitBox: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]HitBox: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Avenue A, Inc.: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]ReliableStats: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Statcounter: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Winsoftware: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Zedo: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]HitsLink: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] [/font]

[font=\"Times New Roman\"]Winsoftware: Tracking cookie (Internet Explorer: Erik Halbert) (Cookie, nothing done)[/font]

[font=\"Times New Roman\"]  [/font]

[font=\"Times New Roman\"] I fixed all of these and reran. This time the scan was clean.
[/font]

[font=\"Times New Roman\"]Erik. [/font]
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Smitfraud and incessant popups.
« Reply #14 on: May 26, 2007, 10:33:53 AM »
Go ahead and delete these files if you haven't already
C:\WINNT\system32\28155622ld.exe
C:\WINNT\system32\18261092ld.exe
C:\WINNT\system32\58204682ld.exe
C:\WINNT\system32\38534372ld.exe
C:\WINNT\system32\2016152ld.exe

Spybot came clean, but the scan before just found cookies
Can you open Spybot>>Click on Immunization button>>OK>>Immunize again at the top Green cross
Do that after every update

A program that works similiar to Spybot's Immunization
Install
SpywareBlaster 3.5.1 by JavaCool  
    *Will block bad ActiveX Controls
    *Block Malevolent cookies in Internet Explorer and Firefox
    *Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

I hope that helps  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Let me know of any other problems, if any
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #15 on: May 27, 2007, 08:32:03 AM »
I got rid of these five .exe files, and fixed SyBot S&D. Then downloadwed SpywareBlaster and set it up. My machine is working well now except that the in-text Vibrant Advertisements are annoying, but maybe we cannot do anything about them?

Anyway I will be able to test the system till thursday (I'll try and report then) after which I will be offline for six weeks. When I return I will check again and will report back.
 
Thank you very much for a most efficient clean-up process, carried out in a most professional manner. I wasted so much time initially trying to do a clean-up myself. I should have come to you right away.
Many thanks again.
regards, Erik
Logged

Offline erikh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Smitfraud and incessant popups.
« Reply #16 on: May 30, 2007, 07:15:50 PM »
Hi there,
My system has been working well since it was cleaned up. The only problem so far are these in-text popups but I'm getting better at avoiding them. Can they be shut off?
I have not had any recurrence of Smitfraud or the WinAntivirus advertisements and in general the machine appears cleaner than it has ever been.
Thank you again for your help.
best regards, Erik
Logged
Pages: [1]
« previous next »