« previous next »
Pages: [1]

Author Topic: Computers infected with a trojan or something  (Read 1272 times)

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« on: December 30, 2007, 02:16:17 PM »
ok well i guess last night i accidently installed something with a virus and now whenever i open up internet explorer or even windows explorer a box pops up titles System Error! and saying Your PC was infected by an unknown trojan. Its dangerous for your system(critical files can be lost)! Click ok to download the antispyware program to clean your system!(Recommended)

Also if i search for something like in google or whatever like it brings up porn advertisements saying Error! Your browser was hijacked! Some results was changed by porn advertising! You need to clean your system immediatly to prevent it. Download the newest antispyware software!
And if you click it it goes to files-secure.com


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:05 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = 4O_MMSBSoftware\Microsoft\Internet Explorer\MainSearch Bar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: player addon - {1E40AD15-4280-428A-9A26-AB96F9DA2ACE} - C:\WINDOWS\oggview32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8CDFEC33-C98C-491F-AEBB-367588E5161D} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {E19E670A-037B-44B3-B04F-CDC20E31092A} - C:\WINDOWS\system32\jkklj.dll (file missing)
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O22 - SharedTaskScheduler: (no name) - {FB153DCE-822E-47ec-8D00-2706E7864B37} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6569 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Computers infected with a trojan or something
« Reply #1 on: December 30, 2007, 02:42:13 PM »
Can you do the following, if you have used combofix already
Can you delete it, I need you to redownload an updated copy

Download this file - Combofix.exe and save it ONLY to your desktop

Disable your AntiVirus software till the next scans are complete

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
It's default location is C:\Combofix.txt

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Also:
Download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Post back both the following

1. Post the log from Smitfraudfix
2. Post the report from Combofix
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« Reply #2 on: December 31, 2007, 04:18:45 AM »
ok well thanks for helping me so far

Smitfraudfix

SmitFraudFix v2.274

Scan done at  3:12:45.43, Mon 12/31/2007
Run from C:\Documents and Settings\Aaron\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aaron


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aaron\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Aaron\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri
C:\WINDOWS\oggview32.dll
HKLM\SOFTWARE\Classes\AppID\oggview32.dll
HKLM\SOFTWARE\Classes\AppID\{1E40AD15-4280-428A-9A26-AB96F9DA2ACE}
HKLM\SOFTWARE\Classes\CLSID\{1E40AD15-4280-428A-9A26-AB96F9DA2ACE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E40AD15-4280-428A-9A26-AB96F9DA2ACE}
HKLM\SOFTWARE\Classes\oggview32.Video
HKLM\SOFTWARE\Classes\TypeLib\{62566A4D-AE41-44D2-B1B1-BC210BD35DCB}


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{FB153DCE-822E-47ec-8D00-2706E7864B37}"="O"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 24.93.41.125
DNS Server Search Order: 24.93.41.126

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1B4A2FD0-F74C-46D0-AED5-8BFA4BA8C218}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D5093D39-00EA-4D4C-8586-A87437B3171B}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E7E117A4-1966-46C8-A57F-2524CDDE24D4}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1B4A2FD0-F74C-46D0-AED5-8BFA4BA8C218}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D5093D39-00EA-4D4C-8586-A87437B3171B}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E7E117A4-1966-46C8-A57F-2524CDDE24D4}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1B4A2FD0-F74C-46D0-AED5-8BFA4BA8C218}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D5093D39-00EA-4D4C-8586-A87437B3171B}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E7E117A4-1966-46C8-A57F-2524CDDE24D4}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



ComboFix 07-12-31.4 - Aaron 2007-12-31  3:02:54.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.167 [GMT -6:00]
Running from: C:\Documents and Settings\Aaron\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\tpBe12
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\mcrh.tmp

.
(((((((((((((((((((((((((   Files Created from 2007-11-28 to 2007-12-31  )))))))))))))))))))))))))))))))
.

2007-12-31 03:01 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-12-30 13:04 . 2007-12-30 13:04   <DIR>   d--------   C:\Program Files\Trend Micro
2007-12-30 02:42 . 2007-12-30 02:42   239,104   --a------   C:\WINDOWS\oggview32.dll
2007-12-24 18:38 . 2007-12-24 18:38   <DIR>   d--------   C:\Program Files\Microsoft Silverlight
2007-12-21 01:41 . 2007-12-21 01:52   <DIR>   d--------   C:\Program Files\LimeWire
2007-12-18 21:54 . 2007-12-30 05:09   <DIR>   d--------   C:\VundoFix Backups
2007-12-18 21:38 . 2007-12-18 21:54   1,718,805   ---hs----   C:\WINDOWS\SYSTEM32\syvntely.ini
2007-12-17 00:46 . 2007-12-18 21:36   1,735,461   ---hs----   C:\WINDOWS\SYSTEM32\uudixjlj.ini
2007-12-16 13:05 . 2007-12-30 05:09   <DIR>   d--hs----   C:\WINDOWS\QWFyb24gV2VzbGV5IEJhbmRh
2007-12-11 13:46 . 2007-12-11 13:46   3,596,288   --a------   C:\WINDOWS\SYSTEM32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46   524,288   --a------   C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46   4,816   --a------   C:\WINDOWS\SYSTEM32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45   1,044,480   --a------   C:\WINDOWS\SYSTEM32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45   200,704   --a------   C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43   12,288   --a------   C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-11-29 20:28 . 2007-11-29 20:28   <DIR>   d--------   C:\Documents and Settings\Aaron\New Folder
2007-11-23 03:04 . 2007-11-23 03:04   <DIR>   d--------   C:\Program Files\MySpace
2007-11-08 21:07 . 2007-11-08 21:08   <DIR>   d--------   C:\Program Files\iTunes
2007-11-07 03:05 . 2007-11-07 03:05   <DIR>   d--------   C:\Program Files\FLVPlayer
2007-11-06 23:38 . 2007-11-09 16:05   <DIR>   d--------   C:\Documents and Settings\Aaron\Application Data\U3

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 18:55   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-21 18:55   ---------   d-----w   C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2007-12-21 18:55   ---------   d-----w   C:\Documents and Settings\Aaron\Application Data\Yahoo!
2007-12-16 06:01   ---------   d-----w   C:\Program Files\DivX
2007-12-11 19:44   823,296   ----a-w   C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-12-11 19:44   823,296   ----a-w   C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-12-11 19:44   81,920   ----a-w   C:\WINDOWS\SYSTEM32\dpl100.dll
2007-12-11 19:44   802,816   ----a-w   C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-12-11 19:44   682,496   ----a-w   C:\WINDOWS\SYSTEM32\DivX.dll
2007-12-11 19:44   593,920   -c--a-w   C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2007-12-11 19:44   57,344   ----a-w   C:\WINDOWS\SYSTEM32\dpv11.dll
2007-12-11 19:44   53,248   -c--a-w   C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2007-12-11 19:44   344,064   ----a-w   C:\WINDOWS\SYSTEM32\dpus11.dll
2007-12-11 19:44   294,912   -c--a-w   C:\WINDOWS\SYSTEM32\dpu10.dll
2007-12-11 19:44   294,912   ----a-w   C:\WINDOWS\SYSTEM32\dpu11.dll
2007-12-11 19:44   196,608   ----a-w   C:\WINDOWS\SYSTEM32\dtu100.dll
2007-12-11 19:44   156,992   ----a-w   C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 03:08   ---------   d-----w   C:\Program Files\iPod
2007-11-09 03:04   ---------   d-----w   C:\Program Files\QuickTime
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-27 23:40   222,720   ----a-w   C:\WINDOWS\SYSTEM32\wmasf.dll
2007-09-28 16:07   129,784   ------w   C:\WINDOWS\SYSTEM32\pxafs.dll
2007-09-28 16:07   120,056   -c----w   C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-09-28 16:07   118,520   -c----w   C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-06-11 02:30   1,308,216   -c--a-w   C:\Program Files\HiJackThis_v2.exe
2006-08-31 02:07   57,208   ----a-w   C:\Documents and Settings\Aaron\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 22:24   472   --sha-r   C:\WINDOWS\QWFyb24gV2VzbGV5IEJhbmRh\kqIVvZb0pZpWv3pcKHL1vAl1.vbs
2005-10-15 19:47   349,139   -csh--w   C:\WINDOWS\ServicePackFiles\agvtun.bak1
2005-11-02 04:17   200,623   -csh--w   C:\WINDOWS\ServicePackFiles\agvtun.bak2
2005-11-02 22:52   424,132   -csh--w   C:\WINDOWS\ServicePackFiles\agvtun.ini2
2004-10-12 04:31   56   -csh--r   C:\WINDOWS\SYSTEM32\EAEFBEA175.sys
2007-04-29 23:39   353   -csh--w   C:\WINDOWS\SYSTEM32\ststv.ini2
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E40AD15-4280-428A-9A26-AB96F9DA2ACE}]
2007-12-30 02:42   239104   --a------   C:\WINDOWS\oggview32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CDFEC33-C98C-491F-AEBB-367588E5161D}]
         C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E19E670A-037B-44B3-B04F-CDC20E31092A}]
         C:\WINDOWS\system32\jkklj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 01:33 8720384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 01:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\584e3088]
         rundll32.exe C:\WINDOWS\system32\yletnvys.dll,b
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 10:28   684032   --a--c---   C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51   39792   --a------   C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
         BCMSMMSG.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 01:56   15360   --a--c---   C:\WINDOWS\system32\ctfmon.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
         C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
         C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
         C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
         C:\Program Files\Common Files\AOL\1133112961\ee\AOLSoftware.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36   267048   --a------   C:\Program Files\iTunes\iTunesHelper.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-13 21:36   50688   --a--c---   C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
         nwiz.exe /install
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
         C:\Program Files\QuickTime\qttask.exe -atboottime
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
         C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
         C:\Program Files\Save\Save.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xloadnet]
         C:\Program Files\xloadnet\xloadnet.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
         C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys [2001-11-05 08:23]
S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2003-04-17 21:48]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-04 01:09]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-04 01:09]
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys [2001-11-05 08:23]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2004-12-18 19:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9daeb98c-8cf3-11dc-a7b4-0040050e21b3}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 02:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 18:27:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2005-10-31 04:08:35 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 03:07:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31  3:08:30
C:\qoobox\ComboFix-quarantined-files.txt  2007-12-31 09:08:15
.
2007-12-12 16:41:56   --- E O F ---
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Computers infected with a trojan or something
« Reply #3 on: December 31, 2007, 04:56:37 AM »
Can you do the following
==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work

Quote
File::
C:\WINDOWS\oggview32.dll
C:\WINDOWS\SYSTEM32\syvntely.ini
C:\WINDOWS\SYSTEM32\uudixjlj.ini
C:\WINDOWS\ServicePackFiles\agvtun.bak1
C:\WINDOWS\ServicePackFiles\agvtun.bak2
C:\WINDOWS\ServicePackFiles\agvtun.ini2
C:\WINDOWS\SYSTEM32\ststv.ini2
C:\WINDOWS\system32\yletnvys.dll
C:\WINDOWS\retadpu2000219.exe
Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\1024
C:\WINDOWS\QWFyb24gV2VzbGV5IEJhbmRh
C:\Program Files\Save
C:\Program Files\xloadnet
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E40AD15-4280-428A-9A26-AB96F9DA2ACE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CDFEC33-C98C-491F-AEBB-367588E5161D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E19E670A-037B-44B3-B04F-CDC20E31092A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\584e3088]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xloadnet]
[-HKLM\SOFTWARE\Classes\AppID\oggview32.dll]
[-HKLM\SOFTWARE\Classes\AppID\{1E40AD15-4280-428A-9A26-AB96F9DA2ACE}]
[-HKLM\SOFTWARE\Classes\CLSID\{1E40AD15-4280-428A-9A26-AB96F9DA2ACE}]
[-HKLM\SOFTWARE\Classes\oggview32.Video]
[-HKLM\SOFTWARE\Classes\TypeLib\{62566A4D-AE41-44D2-B1B1-BC210BD35DCB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{FB153DCE-822E-47ec-8D00-2706E7864B37}"=-

Save this as txtfile on your desktop
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Don't mouse click on it, let it complete

When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..
I'll need to see that log again later

NEXT:
reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
In safe mode

Open the SmitfraudFix folder again and double-click smitfraudfix.cmd

=============================================================
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't
Boot to Normal Windows
I'll need to see the log it generates later, by default it is located at
C:\rapport.txt
=============================================================

Back in Windows

Post back the following

1. The log from combofix>>C:\Combofix.txt
2. The log from Smitfraudfix>>C:\rapport.txt
3. Can you post a fresh hijackthis log

In addition, can you do the following please
Can you go to this link
http://www.virustotal.com/flash/index_en.html

Copy and paste the text below in bold to the Upload a file

C:\WINDOWS\SYSTEM32\EAEFBEA175.sys
Then use the "Send A File"  button
Let it finish scanning
Could you post back the results of the scan back here please

NOTE: It may take more than one reply to post back all the info
Please do so if needed
« Last Edit: December 31, 2007, 05:04:12 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« Reply #4 on: December 31, 2007, 03:59:14 PM »
ok im going to just post each log in their own post so itll be easier to understand whats what.

ComboFix 07-12-31.4 - Aaron 2007-12-31  4:20:34.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.169 [GMT -6:00]
Running from: C:\Documents and Settings\Aaron\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aaron\Desktop\CFScript.txt
 * Created a new restore point

FILE
C:\WINDOWS\oggview32.dll
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\ServicePackFiles\agvtun.bak1
C:\WINDOWS\ServicePackFiles\agvtun.bak2
C:\WINDOWS\ServicePackFiles\agvtun.ini2
C:\WINDOWS\SYSTEM32\ststv.ini2
C:\WINDOWS\SYSTEM32\syvntely.ini
C:\WINDOWS\SYSTEM32\uudixjlj.ini
C:\WINDOWS\system32\yletnvys.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\ddeeg.ini.bad
C:\VundoFix Backups\ddeeg.ini2.bad
C:\VundoFix Backups\geedd.dll.bad
C:\VundoFix Backups\jkhfe.dll.bad
C:\VundoFix Backups\jlkkj.ini.bad
C:\VundoFix Backups\jlkkj.ini2.bad
C:\WINDOWS\oggview32.dll
C:\WINDOWS\QWFyb24gV2VzbGV5IEJhbmRh
C:\WINDOWS\QWFyb24gV2VzbGV5IEJhbmRh\kqIVvZb0pZpWv3pcKHL1vAl1.vbs
C:\WINDOWS\ServicePackFiles\agvtun.bak1
C:\WINDOWS\ServicePackFiles\agvtun.bak2
C:\WINDOWS\ServicePackFiles\agvtun.ini2
C:\WINDOWS\system32\1024
C:\WINDOWS\SYSTEM32\ststv.ini2
C:\WINDOWS\SYSTEM32\syvntely.ini
C:\WINDOWS\SYSTEM32\uudixjlj.ini

.
(((((((((((((((((((((((((   Files Created from 2007-11-28 to 2007-12-31  )))))))))))))))))))))))))))))))
.

2007-12-31 03:12 . 2007-09-05 23:22   289,144   --a------   C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-31 03:12 . 2006-04-27 16:49   288,417   --a------   C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-31 03:12 . 2007-12-20 23:11   81,920   --a------   C:\WINDOWS\SYSTEM32\IEDFix.exe
2007-12-31 03:12 . 2003-06-05 20:13   53,248   --a------   C:\WINDOWS\SYSTEM32\Process.exe
2007-12-31 03:12 . 2004-07-31 17:50   51,200   --a------   C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-31 03:12 . 2007-10-03 23:36   25,600   --a------   C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-12-31 03:12 . 2007-12-31 03:12   1,638   --a------   C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-31 03:01 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-12-30 13:04 . 2007-12-30 13:04   <DIR>   d--------   C:\Program Files\Trend Micro
2007-12-24 18:38 . 2007-12-24 18:38   <DIR>   d--------   C:\Program Files\Microsoft Silverlight
2007-12-21 01:41 . 2007-12-21 01:52   <DIR>   d--------   C:\Program Files\LimeWire
2007-12-11 13:46 . 2007-12-11 13:46   3,596,288   --a------   C:\WINDOWS\SYSTEM32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46   524,288   --a------   C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46   4,816   --a------   C:\WINDOWS\SYSTEM32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45   1,044,480   --a------   C:\WINDOWS\SYSTEM32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45   200,704   --a------   C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43   12,288   --a------   C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-11-29 20:28 . 2007-11-29 20:28   <DIR>   d--------   C:\Documents and Settings\Aaron\New Folder
2007-11-23 03:04 . 2007-11-23 03:04   <DIR>   d--------   C:\Program Files\MySpace
2007-11-08 21:07 . 2007-11-08 21:08   <DIR>   d--------   C:\Program Files\iTunes
2007-11-07 03:05 . 2007-11-07 03:05   <DIR>   d--------   C:\Program Files\FLVPlayer
2007-11-06 23:38 . 2007-11-09 16:05   <DIR>   d--------   C:\Documents and Settings\Aaron\Application Data\U3

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 18:55   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-21 18:55   ---------   d-----w   C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2007-12-21 18:55   ---------   d-----w   C:\Documents and Settings\Aaron\Application Data\Yahoo!
2007-12-16 06:01   ---------   d-----w   C:\Program Files\DivX
2007-12-11 19:44   823,296   ----a-w   C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-12-11 19:44   823,296   ----a-w   C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-12-11 19:44   81,920   ----a-w   C:\WINDOWS\SYSTEM32\dpl100.dll
2007-12-11 19:44   802,816   ----a-w   C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-12-11 19:44   682,496   ----a-w   C:\WINDOWS\SYSTEM32\DivX.dll
2007-12-11 19:44   593,920   -c--a-w   C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2007-12-11 19:44   57,344   ----a-w   C:\WINDOWS\SYSTEM32\dpv11.dll
2007-12-11 19:44   53,248   -c--a-w   C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2007-12-11 19:44   344,064   ----a-w   C:\WINDOWS\SYSTEM32\dpus11.dll
2007-12-11 19:44   294,912   -c--a-w   C:\WINDOWS\SYSTEM32\dpu10.dll
2007-12-11 19:44   294,912   ----a-w   C:\WINDOWS\SYSTEM32\dpu11.dll
2007-12-11 19:44   196,608   ----a-w   C:\WINDOWS\SYSTEM32\dtu100.dll
2007-12-11 19:44   156,992   ----a-w   C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 03:08   ---------   d-----w   C:\Program Files\iPod
2007-11-09 03:04   ---------   d-----w   C:\Program Files\QuickTime
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-27 23:40   222,720   ----a-w   C:\WINDOWS\SYSTEM32\wmasf.dll
2007-09-28 16:07   129,784   ------w   C:\WINDOWS\SYSTEM32\pxafs.dll
2007-09-28 16:07   120,056   -c----w   C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-09-28 16:07   118,520   -c----w   C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-06-11 02:30   1,308,216   -c--a-w   C:\Program Files\HiJackThis_v2.exe
2006-08-31 02:07   57,208   ----a-w   C:\Documents and Settings\Aaron\Application Data\GDIPFONTCACHEV1.DAT
2004-10-12 04:31   56   -csh--r   C:\WINDOWS\SYSTEM32\EAEFBEA175.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 01:33 8720384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 01:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 10:28   684032   --a--c---   C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51   39792   --a------   C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
         BCMSMMSG.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 01:56   15360   --a--c---   C:\WINDOWS\system32\ctfmon.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
         C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
         C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
         C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
         C:\Program Files\Common Files\AOL\1133112961\ee\AOLSoftware.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36   267048   --a------   C:\Program Files\iTunes\iTunesHelper.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-13 21:36   50688   --a--c---   C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
         nwiz.exe /install
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
         C:\Program Files\QuickTime\qttask.exe -atboottime
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
         C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys [2001-11-05 08:23]
S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2003-04-17 21:48]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-04 01:09]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-04 01:09]
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys [2001-11-05 08:23]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2004-12-18 19:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9daeb98c-8cf3-11dc-a7b4-0040050e21b3}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 02:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 18:27:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2005-10-31 04:08:35 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 04:23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31  4:24:00
C:\qoobox\ComboFix-quarantined-files.txt  2007-12-31 10:23:37
C:\qoobox\ComboFix2.txt  2007-12-31 09:08:31
.
2007-12-12 16:41:56   --- E O F ---
Logged

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« Reply #5 on: December 31, 2007, 04:00:37 PM »
SmitFraudFix v2.274

Scan done at 14:08:05.34, Mon 12/31/2007
Run from C:\Documents and Settings\Aaron\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1B4A2FD0-F74C-46D0-AED5-8BFA4BA8C218}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D5093D39-00EA-4D4C-8586-A87437B3171B}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E7E117A4-1966-46C8-A57F-2524CDDE24D4}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1B4A2FD0-F74C-46D0-AED5-8BFA4BA8C218}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D5093D39-00EA-4D4C-8586-A87437B3171B}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E7E117A4-1966-46C8-A57F-2524CDDE24D4}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1B4A2FD0-F74C-46D0-AED5-8BFA4BA8C218}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D5093D39-00EA-4D4C-8586-A87437B3171B}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E7E117A4-1966-46C8-A57F-2524CDDE24D4}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Logged

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« Reply #6 on: December 31, 2007, 04:03:30 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:37 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4982 bytes


File EAEFBEA175.sys received on 12.31.2007 21:18:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 41 and 59 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:    
   
Antivirus    Version    Last Update    Result
AhnLab-V3   2008.1.1.10   2007.12.31   -
AntiVir   7.6.0.46   2007.12.31   -
Authentium   4.93.8   2007.12.30   -
Avast   4.7.1098.0   2007.12.31   -
AVG   7.5.0.516   2007.12.31   -
BitDefender   7.2   2007.12.31   -
CAT-QuickHeal   9.00   2007.12.31   -
ClamAV   0.91.2   2007.12.31   -
DrWeb   4.44.0.09170   2007.12.31   -
eSafe   7.0.15.0   2007.12.31   -
eTrust-Vet   31.3.5419   2007.12.31   -
Ewido   4.0   2007.12.31   -
FileAdvisor   1   2007.12.31   -
Fortinet   3.14.0.0   2007.12.31   -
F-Prot   4.4.2.54   2007.12.31   -
F-Secure   6.70.13030.0   2007.12.31   -
Ikarus   T3.1.1.15   2007.12.31   -
Kaspersky   7.0.0.125   2007.12.31   -
McAfee   5196   2007.12.31   -
Microsoft   1.3109   2007.12.31   -
NOD32v2   2758   2007.12.31   -
Norman   5.80.02   2007.12.31   -
Panda   9.0.0.4   2007.12.31   -
Prevx1   V2   2007.12.31   -
Rising   20.24.52.00   2007.12.29   -
Sophos   4.24.0   2007.12.31   -
Sunbelt   2.2.907.0   2007.12.30   -
Symantec   10   2007.12.31   -
TheHacker   6.2.9.175   2007.12.29   -
VBA32   3.12.2.5   2007.12.29   -
VirusBuster   4.3.26:9   2007.12.31   -
Webwasher-Gateway   6.6.2   2007.12.31   -
Additional information
File size: 56 bytes
MD5: 74a95b6b4554235b088557f5815a13fc
SHA1: 4738e9016b87422de6eedcb7a64b3899751dcdc9
PEiD: -
« Last Edit: December 31, 2007, 04:03:23 PM by skategoodtimes »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Computers infected with a trojan or something
« Reply #7 on: December 31, 2007, 04:59:47 PM »
Thanks for the logs
Can you let me know how things are running please

Also, post one last log
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

I have to step out for a bit, when I come back will just do some final steps if everything is fine
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« Reply #8 on: December 31, 2007, 08:06:31 PM »
ok thanks a lot, everything seems to be running good so far nothings been popping up anymore.

Ad-Aware SE Personal
Adobe After Effects 5.5
Adobe Encore DVD 1.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Premiere 6.0
Adobe Reader 8.1.1
Adobe Shockwave Player
Advanced RealMedia Export Plug-in for Premiere 6.0
AIM 6
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
BearShare
Classic PhoneTools
Cleaner 5 EZ
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Easy CD Creator 5 Basic
FLV Player 1.3.3
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iPod for Windows 2005-03-23
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment Standard Edition v1.3.1_04
LiveReg (Symantec Corporation)
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Microsoft Works 2003 Setup Launcher
Mozilla Firefox (0.8.)
Mozilla Firefox (1.0.7)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MySpaceIM
NVIDIA Display Driver
PowerDVD
QuickTime
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Sony USB Driver
Sorenson Squeeze
Sorenson Video 3
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Spyware Doctor 3.2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Savings from Ebates
Windows Blaster Worm Removal Tool (KB833330)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Yahoo! Messenger
Zune Desktop Theme
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Computers infected with a trojan or something
« Reply #9 on: December 31, 2007, 09:58:14 PM »
Can you do the following

[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

[color=\"blue\"]Updating Java:[/color]
  • Download the latest version of  Java Runtime Environment (JRE) 6u3.
  • Scroll down to where it says "Java Runtime Enviroinment (JRE) 6u3, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement[/i]".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  and save it to your desktop (13.16 MB).
  • Close any programs you may have running - especially any web browsers.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.>>This includes all the following
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment Standard Edition v1.3.1_04
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • DO NOT Reboot the computer yet, even if prompted

Remain in add/remove programs and remove the following
The next ones, usually because they get unknowing installed by programs such as AIM and AOL IM
Viewpoint Manager (Remove Only)
Viewpoint Media Player

Still in Add/remove programs remove
Web Savings from Ebates
If you are prompted to just remove from list, do so

Also, I suggest that you uninstall older versions of Mozilla Firefox
We should update it in a bit
This includes, both
Mozilla Firefox (0.8.)
Mozilla Firefox (1.0.7)

Again, remain in add/remove
It appears you may have had Symantec's (Norton's)
Installed at one time and removed it
I suggest that you also remove
LiveReg (Symantec Corporation)
If it prompts that other products are installed, continue with the removal
Afterwards:
Go to the following link
Norton Removal tool

Download and save the Norton Removal tool from STEP 3 and save it to desktop
Double click on it to run it>>Follow the prompts
Ensure that you reboot the computer
After you have done ALL/or any of the above

Back in Windows

Open Spybot 1.4
Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates (Or right click the results pane and SELECT ALL)
Ensure all updates are successful, a GREEN check will indicate this
If you have an error updating, search for updates again and retry the download until all updates are successfully installed
After update is complete

Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process

Back in Windows
Install the latest version of Firefox from this link
http://www.mozilla.com/en-US/firefox/all.html

After installation, go ahead and install the latest version of Sun Java from Installer on desktop

Afterwards
Come back here and post one last fresh hijackthis log
« Last Edit: December 31, 2007, 10:00:54 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« Reply #10 on: January 01, 2008, 12:05:17 AM »
ok well it wouldnt let me uninstall that web savings from ebates things ive been trying to delete that for a long time now i guess i deleted the folder and it had the uninstall file in there or something so i dont know how to get rid of it now. it just brings up a little window titled "wjview error" and it says "ERROR:could not execute Main : the system cannot find the file specified"

But heres the hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:42 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5220 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Computers infected with a trojan or something
« Reply #11 on: January 01, 2008, 12:13:51 AM »
Did you run the Norton Removal tool and follow the prompts?

I see 2 entries related to Norton's in your log that weren't there earlier
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« Reply #12 on: January 01, 2008, 12:30:38 AM »
oh no sorry i thougth you said only to do that if it prompts me but i read wrong. do you want me to do that and then post another hijackthis log?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Computers infected with a trojan or something
« Reply #13 on: January 01, 2008, 12:38:41 AM »
Sorry about the confusion
Before you run the tool, can you also do the following

Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager>>
Left click to highlight
Web Savings from Ebates
Then click the "Delete this Entry" button
Select YES at the prompt then close Hijackthis

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 
Code: [Select]
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

Double click on fix.reg and add/merge to the registry at the prompt

Then run the Norton Removal tool
Follow the prompts, ensure to reboot the computer

Then come back here and post a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« Reply #14 on: January 01, 2008, 01:17:14 AM »
oh well hopefully ive done it right so far, heres the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:39 AM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\internet explorer\iexplore.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5064 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Computers infected with a trojan or something
« Reply #15 on: January 01, 2008, 01:43:23 AM »
Looks good
If everything is running better, you should do the final steps

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Select>>Create a New restore point
Give it a name and click Create
Windows will prompt when it was created successfully

When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning


Go ahead and delete the Smitfraudfix.zip and fix.reg from desktop

Go to START>>RUN>>Copy then paste the next command below in bold
Then hit OK

combofix /u

This will uninstall combofix and it's components

Download this tool:
[color=\"blue\"]OTMoveIt[/color] by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Click the Cleanup! button
    A list will be downloaded>>Allow it Internet access if prompted by your Firewall
    Don't change anything in this list
  • Select Yes at the prompt
    Wait for the confirmation box to open to reboot the computer
    Don't mouseclick during the wait as you may cause the tool to stall
  • Select Yes to reboot Now
NOTE: This procedure will also delete OTMoveit.exe from desktop

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster 3.5.1 by JavaCool  
    *Will block bad ActiveX Controls
    *Block Malevolent cookies in Internet Explorer and Firefox
    *Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Also, after every update with Spybot 1.4
Ensure to use the Immunize feature
Simply click Immunize>>OK>>Immunize again at the top green cross

Hope that helps  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
« Last Edit: January 01, 2008, 01:48:33 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline skategoodtimes

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Computers infected with a trojan or something
« Reply #16 on: January 01, 2008, 03:01:06 AM »
ok ive done everything, is there anything else i should do? can i delete the uninstall_list from my desktop.  well thank you sooo much for helping me with all of this I really really appreciate it
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Computers infected with a trojan or something
« Reply #17 on: January 01, 2008, 11:20:42 AM »
Quote
can i delete the uninstall_list from my desktop
Go ahead and delete it
I'll lock this topic as your problems are resolved
Take care and Happy New Year skategoodtimes  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »