I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Open the
SmitfraudFix folder created in step 1 and double-click "
smitfraudfix.cmd". Please do not try to use any of the other files in the folder until instructed.
Select option "
1 - Search" by typing "
1" and pressing "
Enter" on the keyboard.
A text file will appear, which lists infected files (if present). We are only generating a report at this stage, not cleaning yet.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
See
http://www.beyondlogic.org/consulting/proc...processutil.htm
Please copy/paste the content of the report generated into your next reply. The report can be found at the root of the system drive, usually at
C:\rapport.txt.
I'll check the report and get back to you with the next stage of the fix.
Scan done at 11:07:46.10, Tue 08/22/2006
Run from C:\Documents and Settings\Hakim\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1 Re-boot in
Safe Mode by pressing
F8 during Boot-up and choosing Safe Mode from the boot options list.
Once in Safe Mode, open the
SmitfraudFix folder again and double-click
smitfraudfix.cmd
Select option "
2 - Clean" by typing "
2" and press "
Enter" to delete infected files.
You will be prompted : "
Registry cleaning - Do you want to clean the registry ?"; type "
Y" and press "
Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); type "
Y" and press "
Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, reboot as normal.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at
C:\rapport.txt
Run
ATF Cleaner. Click on the check box to select the following options:
Windows Temp All Users Temp Cookies Temporary Internet Files Prefetch Recycle Bin
Click "
Empty Selected". Exit when finished.
Step 3 Download
Ewido from
www.ewido.net/en/download, and install. At the end of the installation process, leave the tick in the "
Run Ewido Anti-Spyware 4.0" checkbox. Click "
Finish"
When opening screen appears, click "
change state" for "
Resident Shield" to change state to "
inactive" This is done to prevent the resident shield interferring with our attempts to fix the problems present on the pc.
Ewido will automatically update, and a toolbar message balloon will confirm that update is complete. If this doesn't happen, click
Update > Start Update.
Close Ewido.
Re-boot in Safe Mode by pressing
F8 during Boot-up and choosing
Safe Mode from the boot options list.
Run
Ewido again, click
Scanner > Complete System Scan.
At the end of the scan, a list of found objects will be generated. Check through the list for false positives, and change the "
Action" entry if necessary.
Click "
Apply all actions"
When the actions have been completed, click
Save Report > Save report as, and save report as a text file on your desktop. I will need a copy of the report contents as part of your next post.
Reboot as normal.
Step 4 Run
Hijack This, "
Scan" and post the log, together with a copy of the SmitFraudFix and Ewido logs, as a reply to this thread. I'll check it through, and get back to you.
You'll keep getting the warnings until we've dealt with the files that are trying to install. It was more important to deal with SmitFraud first.
OK, I've now got some more instructions for you.
As before, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1 Run
Hijack This, don't have any other programs open, and click "
Scan".
In the scan results, click on the check box for all of the following lines that are present.
O4 - HKLM\..\Run: O Controllers> svcnet.exe O4 - HKCU\..\Run: O Controllers> svcnet.exe O15 - Trusted Zone: http:locator.cdn.imageservr.com
Click on "
Fix checked".
Step 2 Re-boot in Safe Mode by pressing
F8 during Boot-up and choosing
Safe Mode from the boot options list.
Click
My Computer > Tools > View, then put a tick in the "
Display the contents of system folders" and "
Show hidden files and folders" check boxes. Uncheck
the "
Hide protected operating system files (recommended)" option.
Click "
Yes" to confirm.
Click "
OK".
Navigate to the following folder and file and delete each of them. Some may not be present.
Folder (delete with all contents)
C:\Program Files\ToolBar888
File
C:\WINDOWS\system32\ixt0.dll
You also need to search for a file.
Click
Start > Search > All Files and Folders > More advanced options
Make sure that there is a tick in the check box for "
Search System Folders", "
Search hidden files and folders", and "
Search subfolders"
Enter of the following file name in "
All or part of file name" and click on "
Search".
svcnet.exe
You will be promted to install an ActiveX component from Kaspersky, Click "
Yes".
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on "
NEXT"
Now click on "
Scan Settings"
In the scan settings, make sure that the following are selected:
"
Scan using the following Anti-Virus database:"
Extended (if available otherwise Standard)
"
Scan Options:"
Scan Archives Scan Mail Bases
Click "
OK"
Now under "
select a target to scan:" Select "
My Computer"
This will program will start and scan your system. The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected. Click on "
Save as Text" and save the file to your desktop.
Post the KAV scan log in your next reply.
Step 4 - Java Update -
This is essential, earlier versions of Java can be exploited Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install
Java Runtime Environment (JRE) 5.0 Update 8.
Click the link "
Download JRE 5.0 Update 8". You will then need to select "
Accept License Agreement" and click "
Continue". Then click the link "
Windows Offline Installation, Multi-language", and save it to your Desktop.
Then go back to your Desktop and double click "
jre-1_5_0_08-windows-i586-p.exe" to start the install.
Once you have it installed, Click
Start > Control Panel > Add/Remove Programs.
Allow the list to populate, then click on "Remove" for "
Java Runtime Environment 4.2 Update 3" and any other older Java Runtime Environment entries.
Step 5 Run
Hijack This, "
Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.
Also, please let me know how the ps's running now.
Note than when I restarted the computer Spyguard still asks if I want to remove or keep the BHO. Is it normal to be asked this every time I start the computer?
Logfile of HijackThis v1.99.1
Scan saved at 1:04:42 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Scan done at 11:50:21.46, Tue 08/22/2006
Run from C:\Documents and Settings\Hakim\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
ok, I've applied all the steps. On Step 2 none of the files were present. During the scan with
Kaspersky WebScanner my AntiVirus detected a few virus. I'll see it in the log. After all the steps I rebooted to see if I still had the issue with Spygaurd and the BHO been changed. Still the same issue there. It say that a file as been added C:\WINDOWS/system32/ssqrq.dll. I've copied the log of spyguard and the two other logs you've asked.
KASPERSKY ONLINE SCANNER REPORTWednesday, August 23, 2006 1:29:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/08/2006
Kaspersky Anti-Virus database records: 217631
Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail Basestrue
Scan TargetMy ComputerC:\
D:\
E:\
F:\
Scan StatisticsTotal number of scanned objects62898Number of viruses found7Number of infected objects15 / 0Number of suspicious objects0Duration of the scan process01:08:19
Infected Object NameVirus NameLast ActionC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676/NERO5031.ZIP/nero5031.exeInfected: Email-Worm.Win32.Hybris.bskippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676/NERO5031.ZIPInfected: Email-Worm.Win32.Hybris.bskippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676/Cdrwin.3.8c.zip/cdr38c-e.exeInfected: Email-Worm.Win32.Hybris.bskippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676/Cdrwin.3.8c.zipInfected: Email-Worm.Win32.Hybris.bskippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676ZIP: infected - 4skippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676CryptFF.b: infected - 4skippedC:\Documents and Settings\Hakim\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.logObject is lockedskippedC:\Documents and Settings\Hakim\Cookies\index.datObject is lockedskippedC:\Documents and Settings\Hakim\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exeInfected: not-a-virus:RiskTool.Win32.Reboot.fskippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Dossiers personnels/Éléments supprimés/22 Aug 2006 18:37 from Sandygio:Ann/Ralph.zipInfected: Email-Worm.Win32.Bagle.genskippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Dossiers personnels/Boîte de réception/3 Admin/Archives/website/ebay/28 Jul 2005 02:17 from eBay:Important bank mail [Thu, 28 Jul 200.rtfInfected: Trojan-Spy.HTML.Bayfraud.hnskippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Outlook\Outlook.pstMail MS Mail: infected - 2skippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\History\History.IE5\index.datObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\Temp\~DF1B51.tmpObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\Temp\~DFD930.tmpObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskippedC:\Documents and Settings\Hakim\My Documents\backup21aug06.pst/Dossiers personnels/Boîte de réception/3 Admin/Archives/website/ebay/28 Jul 2005 02:17 from eBay:Important bank mail [Thu, 28 Jul 200.rtfInfected: Trojan-Spy.HTML.Bayfraud.hnskippedC:\Documents and Settings\Hakim\My Documents\backup21aug06.pstMail MS Mail: infected - 1skippedC:\Documents and Settings\Hakim\NTUSER.DATObject is lockedskippedC:\Documents and Settings\Hakim\ntuser.dat.LOGObject is lockedskippedC:\Documents and Settings\LocalService\Cookies\index.datObject is lockedskippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskippedC:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.datObject is lockedskippedC:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskippedC:\Documents and Settings\LocalService\NTUSER.DATObject is lockedskippedC:\Documents and Settings\LocalService\ntuser.dat.LOGObject is lockedskippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskippedC:\Documents and Settings\NetworkService\NTUSER.DATObject is lockedskippedC:\Documents and Settings\NetworkService\ntuser.dat.LOGObject is lockedskippedC:\Program Files\NetAssistant\log\mpbtn.logObject is lockedskippedC:\Program Files\NetAssistant\SmartBridge\AlertFilter.logObject is lockedskippedC:\Program Files\NetAssistant\SmartBridge\log\httpclient.logObject is lockedskippedC:\Program Files\NetAssistant\SmartBridge\SmartBridge.logObject is lockedskippedC:\System Volume Information\MountPointManagerRemoteDatabaseObject is lockedskippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP87\A0013398.dllInfected: not-a-virus:AdWare.Win32.Virtumonde.byskippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP87\A0013399.dllInfected: not-virus:Hoax.Win32.Renos.dsskippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP87\A0013400.exeInfected: not-a-virus:Downloader.Win32.WinFixer.iskippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP89\change.logObject is lockedskippedC:\WINDOWS\Debug\PASSWD.LOGObject is lockedskippedC:\WINDOWS\SchedLgU.TxtObject is lockedskippedC:\WINDOWS\SoftwareDistribution\ReportingEvents.logObject is lockedskippedC:\WINDOWS\Sti_Trace.logObject is lockedskippedC:\WINDOWS\system32\CatRoot2\edb.logObject is lockedskippedC:\WINDOWS\system32\CatRoot2\tmp.edbObject is lockedskippedC:\WINDOWS\system32\config\AppEvent.EvtObject is lockedskippedC:\WINDOWS\system32\config\DEFAULTObject is lockedskippedC:\WINDOWS\system32\config\default.LOGObject is lockedskippedC:\WINDOWS\system32\config\SAMObject is lockedskippedC:\WINDOWS\system32\config\SAM.LOGObject is lockedskippedC:\WINDOWS\system32\config\SecEvent.EvtObject is lockedskippedC:\WINDOWS\system32\config\SECURITYObject is lockedskippedC:\WINDOWS\system32\config\SECURITY.LOGObject is lockedskippedC:\WINDOWS\system32\config\SOFTWAREObject is lockedskippedC:\WINDOWS\system32\config\software.LOGObject is lockedskippedC:\WINDOWS\system32\config\SysEvent.EvtObject is lockedskippedC:\WINDOWS\system32\config\SYSTEMObject is lockedskippedC:\WINDOWS\system32\config\system.LOGObject is lockedskippedC:\WINDOWS\system32\config\systemprofile\Cookies\index.datObject is lockedskippedC:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.datObject is lockedskippedC:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskippedC:\WINDOWS\system32\h323log.txtObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTRObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAPObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VERObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAPObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAPObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATAObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAPObject is lockedskippedC:\WINDOWS\wiadebug.logObject is lockedskippedC:\WINDOWS\wiaservc.logObject is lockedskippedC:\WINDOWS\WindowsUpdate.logObject is lockedskipped
Scan process completed.
Logfile of HijackThis v1.99.1 Scan saved at 1:37:48 PM, on 8/23/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Looking at the KAV log first, you'll see that the detected infections are in the following areas:-
1. Housecall\Quarantine - These aren't a particular problem as they're quarantined, but run housecall anyway and empty the quarantine store to get rid of these.
2. SmitfraudFix file - We're finished with this, so it can be deleted.
3. Outlook email mailbox store - You can identify from the KAV log which emails are infected, located these emails,
DO NOT open them, delete them and then empty the Outlook deleted items folder. Also delete the infected email in your email backup file. To completely clean your mailbox, it may be necessary to temporarily forward all of the clean emails you want to keep to a webmail account, delete your complete Outlook mailbox, create a new empty Outlook mailbox, and finally forward all of the emails back from the webmail account. Try findinga nd deleting the individual emails first.
4. System restore - the system restore cache can be purged as follows:
Create a clean system restore point
Click
Start > Control Panel > System > System Restore Tab and click to put a tick in the "
Turn off System Restore" checkbox, then click "
Apply".
Reboot.
Click
Start > Control Panel > System > System Restore Tab and click to remove the tick in the "
Turn off System Restore" check box, and then click
Apply > OK to create a new restore point and then close Control Panel.
The re-occuring BHO that you're detecting is probably the same thing every time, but being given a new random name at each reboot, so just deleting the lates t Dll file each time isn't enough, as you've found.
We need to try and identify what's behind the generation of the random names.
Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Step 2 Re-boot in Safe Mode by pressing
F8 during Boot-up and choosing
Safe Mode from the boot options list.
Open the
C:\WinPFind folder and double-click on
WinPFind.exe.
First, check that the settings are set as default, click
configure scan options > Default > Apply.
The program will return to the main screen, Click "
Start Scan" and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
When it is finished, the results of the scan will be displayed and a log file will be created at
C:\WinPFind\WinPFind.txt (assuming that you extracted WinPFind to the folder specified in step 1).
Reboot as normal.
Copy and paste the full contents of the log file
C:\WinPFind\WinPFind.txt into your next post.
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/23/2006 11:27:19 PM
Thanks for the fast replies. I applied the steps. Here's the log. Waiting for next instructions.
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/23/2006 11:20:12 PM S 2048 C:\WINDOWS\bootstat.dat
8/20/2006 5:52:54 PM H 54156 C:\WINDOWS\QTFont.qfn
8/1/2006 11:08:08 AM HS 7680 C:\WINDOWS\Thumbs.db
6/30/2006 6:45:12 PM H 0 C:\WINDOWS\inf\oem17.inf
7/19/2006 12:30:00 PM RHS 88 C:\WINDOWS\system32\7EFD1994D8.sys
7/19/2006 12:30:00 PM HS 3766 C:\WINDOWS\system32\KGyGaAvL.sys
8/9/2006 4:33:04 PM HS 279134 C:\WINDOWS\system32\qrqss.bak1
8/23/2006 5:59:58 PM HS 637611 C:\WINDOWS\system32\qrqss.bak2
8/23/2006 10:37:24 PM HS 637079 C:\WINDOWS\system32\qrqss.ini
8/23/2006 11:26:56 PM HS 637241 C:\WINDOWS\system32\qrqss.ini2
8/23/2006 10:45:18 PM HS 637079 C:\WINDOWS\system32\qrqss.tmp
8/9/2006 4:32:44 PM HS 573492 C:\WINDOWS\system32\ssqrq.dll
7/25/2006 5:51:10 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
7/5/2006 8:21:58 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917422.cat
7/28/2006 8:16:08 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat
7/27/2006 10:00:28 AM S 10337 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat
7/21/2006 5:03:14 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat
6/26/2006 3:47:22 PM S 11929 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920683.cat
7/13/2006 10:24:46 AM S 13050 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921398.cat
7/14/2006 12:13:00 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921883.cat
7/14/2006 11:53:20 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922616.cat
7/20/2006 5:48:30 PM S 13885 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem18.CAT
8/23/2006 11:20:16 PM H 12288 C:\WINDOWS\system32\config\default.LOG
8/23/2006 11:20:36 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/23/2006 11:20:12 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
8/23/2006 11:21:46 PM H 1024 C:\WINDOWS\system32\config\software.LOG
8/23/2006 11:20:20 PM H 1024 C:\WINDOWS\system32\config\system.LOG
8/9/2006 11:00:40 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
6/30/2006 11:21:58 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
6/30/2006 11:21:58 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\610XKRMT\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CP2NST2H\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G5C7WX01\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YXATGP8D\desktop.ini
7/19/2006 8:04:34 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\e5263019-2817-47a2-a95b-a73d74a6d869
7/19/2006 8:04:34 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
6/30/2006 11:21:58 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\26ddc2b5-de5b-4d5f-8b96-5b6afc77e24b
6/30/2006 11:21:58 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c8e8e00a-56ad-4042-955b-83218d0a75f9
6/30/2006 11:21:58 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e49a2097-1c61-4b8d-8884-c769148b9d3d
6/30/2006 11:21:58 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/23/2006 11:18:46 PM H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 8/4/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Borland Software Corporation 10/7/2003 2:39:00 PM 184320 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Sonic Solutions 5/3/2006 2:31:56 PM 1019904 C:\WINDOWS\SYSTEM32\cmdvdpak.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/5/2005 8:22:04 PM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
InstallShield Software Corporation6/10/2005 11:43:18 AM 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 7/26/2006 3:03:14 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel(R) Corporation 12/9/2004 2:44:58 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Thanks for the WinPFind log, It's taking a bit of time going through it and checking the entries, so I'll get back to you tomorrow with my next set of instructions.
Step 1 Run
Killbox.
Select
Replace on Reboot.
Copy and paste the file name below to the Full path of file to delete box.
C:\WINDOWS\system32\ssqrq.dll
Put a check next to
unregister .dll.
Also put a check next to
Use dummy. and
End Explorer Shell While Killing File
If available, put a check next to
Unregister .dll Before Deleting
Click the red-and-white
Delete File button.
Click
Yes at the
Delete on Reboot prompt.
Click
Yes at the
Do You Want to Reboot Now prompt.
If you still get the BHO message when you re-start, run Vundofix again.
Thanks for the Vundofix logs. As you'll have seen, the second run of Vundofix you did deleted all the files found, so if you're still getting the BHO warning, there must be something else.
I'd like another WinPFinf log please.
Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Re-boot in Safe Mode by pressing
F8 during Boot-up and choosing
Safe Mode from the boot options list.
Open the
C:\WinPFind folder and double-click on
WinPFind.exe.
First, check that the settings are set as default, click
configure scan options > Default > Apply.
The program will return to the main screen, Click "
Start Scan" and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
When it is finished, the results of the scan will be displayed and a log file will be created at
C:\WinPFind\WinPFind.txt (assuming that you extracted WinPFind to the folder specified in step 1).
Copy and paste the full contents of the log file
C:\WinPFind\WinPFind.txt into your next post.
Bod99
561 Posts
0
August 22nd, 2006 13:00
I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Download SmitfraudFix from http://siri.urz.free.fr/Fix/SmitfraudFix.zip and save the file to your desktop.
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder created in step 1 and double-click " smitfraudfix.cmd". Please do not try to use any of the other files in the folder until instructed.
Select option " 1 - Search" by typing " 1" and pressing " Enter" on the keyboard.
A text file will appear, which lists infected files (if present). We are only generating a report at this stage, not cleaning yet.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
See http://www.beyondlogic.org/consulting/proc...processutil.htm
Please copy/paste the content of the report generated into your next reply. The report can be found at the root of the system drive, usually at C:\rapport.txt.
I'll check the report and get back to you with the next stage of the fix.
Thanks,
Bod
opus-sante
16 Posts
0
August 22nd, 2006 14:00
Run from C:\Documents and Settings\Hakim\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Hakim\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=" file:///C:/DOCUME~1/Hakim/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"SubscribedURL"=" file:///C:/DOCUME~1/Hakim/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
!!!Attention, following keys are not inevitably infected!!!
Search SharedTaskScheduler's .dll
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
NEW BHO DETECTION ALERT
On 16:18:43 08/09/2006 a new BHO installation attempt was detected.
BHO: {CBCC61FA-0221-4ccc-B409-CEE865CACA3A}
ProgramID: MyToolBar.MyToolBarObj.1
File Location: C:\Program Files\ToolBar888\MyToolBar.dll
User Action Taken: REMOVE BHO
--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 16:20:55 08/09/2006 a new BHO installation attempt was detected.
BHO: {873eb32d-ae1a-4183-89bd-45a77f761be4}
ProgramID: n/a
File Location: C:\WINDOWS\system32\ixt0.dll
User Action Taken: REMOVE BHO
--------------------------------------------------------------------------------
Bod99
561 Posts
0
August 22nd, 2006 14:00
Next stage of the fix.
Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option " 2 - Clean" by typing " 2" and press " Enter" to delete infected files.
You will be prompted : " Registry cleaning - Do you want to clean the registry ?"; type " Y" and press " Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); type " Y" and press " Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, reboot as normal.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Step 2
Download ATF Cleaner from http://www.atribune.org/ccount/click.php?id=1
Run ATF Cleaner. Click on the check box to select the following options:
Windows Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Recycle Bin
Click " Empty Selected". Exit when finished.
Step 3
Download Ewido from www.ewido.net/en/download, and install. At the end of the installation process, leave the tick in the " Run Ewido Anti-Spyware 4.0" checkbox. Click " Finish"
When opening screen appears, click " change state" for " Resident Shield" to change state to " inactive" This is done to prevent the resident shield interferring with our attempts to fix the problems present on the pc.
Ewido will automatically update, and a toolbar message balloon will confirm that update is complete. If this doesn't happen, click Update > Start Update.
Close Ewido.
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Run Ewido again, click Scanner > Complete System Scan.
At the end of the scan, a list of found objects will be generated. Check through the list for false positives, and change the " Action" entry if necessary.
Click " Apply all actions"
When the actions have been completed, click Save Report > Save report as, and save report as a text file on your desktop. I will need a copy of the report contents as part of your next post.
Reboot as normal.
Step 4
Run Hijack This, " Scan" and post the log, together with a copy of the SmitFraudFix and Ewido logs, as a reply to this thread. I'll check it through, and get back to you.
Thanks,
Bod
Bod99
561 Posts
0
August 22nd, 2006 16:00
You'll keep getting the warnings until we've dealt with the files that are trying to install. It was more important to deal with SmitFraud first.
OK, I've now got some more instructions for you.
As before, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1
Run Hijack This, don't have any other programs open, and click " Scan".
In the scan results, click on the check box for all of the following lines that are present.
O4 - HKLM\..\Run: O Controllers> svcnet.exe
O4 - HKCU\..\Run: O Controllers> svcnet.exe
O15 - Trusted Zone: http:locator.cdn.imageservr.com
Click on " Fix checked".
Step 2
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Click My Computer > Tools > View, then put a tick in the " Display the contents of system folders" and " Show hidden files and folders" check boxes. Uncheck
the " Hide protected operating system files (recommended)" option.
Click " Yes" to confirm.
Click " OK".
Navigate to the following folder and file and delete each of them. Some may not be present.
Folder (delete with all contents)
C:\Program Files\ToolBar888
File
C:\WINDOWS\system32\ixt0.dll
You also need to search for a file.
Click Start > Search > All Files and Folders > More advanced options
Make sure that there is a tick in the check box for " Search System Folders", " Search hidden files and folders", and " Search subfolders"
Enter of the following file name in " All or part of file name" and click on " Search".
svcnet.exe
If the file is found, delete it
Reboot as normal.
Step 3
Do an online scan with Kaspersky WebScanner at http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click " Yes".
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on " NEXT"
Now click on " Scan Settings"
In the scan settings, make sure that the following are selected:
" Scan using the following Anti-Virus database:"
Extended (if available otherwise Standard)
" Scan Options:"
Scan Archives
Scan Mail Bases
Click " OK"
Now under " select a target to scan:" Select " My Computer"
This will program will start and scan your system. The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected. Click on " Save as Text" and save the file to your desktop.
Post the KAV scan log in your next reply.
Step 4 - Java Update - This is essential, earlier versions of Java can be exploited
Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install Java Runtime Environment (JRE) 5.0 Update 8.
Click the link " Download JRE 5.0 Update 8". You will then need to select " Accept License Agreement" and click " Continue". Then click the link " Windows Offline Installation, Multi-language", and save it to your Desktop.
Then go back to your Desktop and double click " jre-1_5_0_08-windows-i586-p.exe" to start the install.
Once you have it installed, Click Start > Control Panel > Add/Remove Programs.
Allow the list to populate, then click on "Remove" for " Java Runtime Environment 4.2 Update 3" and any other older Java Runtime Environment entries.
Step 5
Run Hijack This, " Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.
Also, please let me know how the ps's running now.
Thanks,
Bod
opus-sante
16 Posts
0
August 22nd, 2006 16:00
Scan saved at 1:04:42 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://opus-sante.com/blog/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://start.sympatico.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA515E91-6D1C-44E2-94DB-B6D6A303B5EE}: NameServer = 67.69.184.75 67.69.184.227
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
Run from C:\Documents and Settings\Hakim\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
!!!Attention, following keys are not inevitably infected!!!
Search SharedTaskScheduler's .dll
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\DOCUME~1\Hakim\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
ewido anti-spyware - Scan Report
---------------------------------------------------------
opus-sante
16 Posts
0
August 23rd, 2006 16:00
--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 13:45:07 08/23/2006 a new BHO installation attempt was detected.
BHO: {05D0D780-6076-4915-82B6-B247CF20680B}
ProgramID: n/a
File Location: C:\WINDOWS\system32\ssqrq.dll
User Action Taken: KEEP BHO
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORTWednesday, August 23, 2006 1:29:34 PMOperating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/08/2006
Kaspersky Anti-Virus database records: 217631
Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail Basestrue Scan TargetMy ComputerC:\
D:\
E:\
F:\ Scan StatisticsTotal number of scanned objects62898Number of viruses found7Number of infected objects15 / 0Number of suspicious objects0Duration of the scan process01:08:19
Infected Object Name Virus Name Last ActionC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676/NERO5031.ZIP/nero5031.exeInfected: Email-Worm.Win32.Hybris.bskippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676/NERO5031.ZIPInfected: Email-Worm.Win32.Hybris.bskippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676/Cdrwin.3.8c.zip/cdr38c-e.exeInfected: Email-Worm.Win32.Hybris.bskippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676/Cdrwin.3.8c.zipInfected: Email-Worm.Win32.Hybris.bskippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676ZIP: infected - 4skippedC:\Documents and Settings\Hakim\.housecall\Quarantine\Sim City 2000 Microsoft Windows XP Full Version.zip.bac_a03676CryptFF.b: infected - 4skippedC:\Documents and Settings\Hakim\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.logObject is lockedskippedC:\Documents and Settings\Hakim\Cookies\index.datObject is lockedskippedC:\Documents and Settings\Hakim\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exeInfected: not-a-virus:RiskTool.Win32.Reboot.fskippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Dossiers personnels/Éléments supprimés/22 Aug 2006 18:37 from Sandygio:Ann/Ralph.zipInfected: Email-Worm.Win32.Bagle.genskippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Dossiers personnels/Boîte de réception/3 Admin/Archives/website/ebay/28 Jul 2005 02:17 from eBay:Important bank mail [Thu, 28 Jul 200.rtfInfected: Trojan-Spy.HTML.Bayfraud.hnskippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Outlook\Outlook.pstMail MS Mail: infected - 2skippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\History\History.IE5\index.datObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\Temp\~DF1B51.tmpObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\Temp\~DFD930.tmpObject is lockedskippedC:\Documents and Settings\Hakim\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskippedC:\Documents and Settings\Hakim\My Documents\backup21aug06.pst/Dossiers personnels/Boîte de réception/3 Admin/Archives/website/ebay/28 Jul 2005 02:17 from eBay:Important bank mail [Thu, 28 Jul 200.rtfInfected: Trojan-Spy.HTML.Bayfraud.hnskippedC:\Documents and Settings\Hakim\My Documents\backup21aug06.pstMail MS Mail: infected - 1skippedC:\Documents and Settings\Hakim\NTUSER.DATObject is lockedskippedC:\Documents and Settings\Hakim\ntuser.dat.LOGObject is lockedskippedC:\Documents and Settings\LocalService\Cookies\index.datObject is lockedskippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskippedC:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.datObject is lockedskippedC:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskippedC:\Documents and Settings\LocalService\NTUSER.DATObject is lockedskippedC:\Documents and Settings\LocalService\ntuser.dat.LOGObject is lockedskippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskippedC:\Documents and Settings\NetworkService\NTUSER.DATObject is lockedskippedC:\Documents and Settings\NetworkService\ntuser.dat.LOGObject is lockedskippedC:\Program Files\NetAssistant\log\mpbtn.logObject is lockedskippedC:\Program Files\NetAssistant\SmartBridge\AlertFilter.logObject is lockedskippedC:\Program Files\NetAssistant\SmartBridge\log\httpclient.logObject is lockedskippedC:\Program Files\NetAssistant\SmartBridge\SmartBridge.logObject is lockedskippedC:\System Volume Information\MountPointManagerRemoteDatabaseObject is lockedskippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP87\A0013398.dllInfected: not-a-virus:AdWare.Win32.Virtumonde.byskippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP87\A0013399.dllInfected: not-virus:Hoax.Win32.Renos.dsskippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP87\A0013400.exeInfected: not-a-virus:Downloader.Win32.WinFixer.iskippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP89\change.logObject is lockedskippedC:\WINDOWS\Debug\PASSWD.LOGObject is lockedskippedC:\WINDOWS\SchedLgU.TxtObject is lockedskippedC:\WINDOWS\SoftwareDistribution\ReportingEvents.logObject is lockedskippedC:\WINDOWS\Sti_Trace.logObject is lockedskippedC:\WINDOWS\system32\CatRoot2\edb.logObject is lockedskippedC:\WINDOWS\system32\CatRoot2\tmp.edbObject is lockedskippedC:\WINDOWS\system32\config\AppEvent.EvtObject is lockedskippedC:\WINDOWS\system32\config\DEFAULTObject is lockedskippedC:\WINDOWS\system32\config\default.LOGObject is lockedskippedC:\WINDOWS\system32\config\SAMObject is lockedskippedC:\WINDOWS\system32\config\SAM.LOGObject is lockedskippedC:\WINDOWS\system32\config\SecEvent.EvtObject is lockedskippedC:\WINDOWS\system32\config\SECURITYObject is lockedskippedC:\WINDOWS\system32\config\SECURITY.LOGObject is lockedskippedC:\WINDOWS\system32\config\SOFTWAREObject is lockedskippedC:\WINDOWS\system32\config\software.LOGObject is lockedskippedC:\WINDOWS\system32\config\SysEvent.EvtObject is lockedskippedC:\WINDOWS\system32\config\SYSTEMObject is lockedskippedC:\WINDOWS\system32\config\system.LOGObject is lockedskippedC:\WINDOWS\system32\config\systemprofile\Cookies\index.datObject is lockedskippedC:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.datObject is lockedskippedC:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskippedC:\WINDOWS\system32\h323log.txtObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTRObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAPObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VERObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAPObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAPObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATAObject is lockedskippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAPObject is lockedskippedC:\WINDOWS\wiadebug.logObject is lockedskippedC:\WINDOWS\wiaservc.logObject is lockedskippedC:\WINDOWS\WindowsUpdate.logObject is lockedskipped Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 1:37:48 PM, on 8/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://opus-sante.com/blog/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://start.sympatico.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA515E91-6D1C-44E2-94DB-B6D6A303B5EE}: NameServer = 67.69.184.75 67.69.184.227
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
Bod99
561 Posts
0
August 23rd, 2006 20:00
Thanks for the logs.
Looking at the KAV log first, you'll see that the detected infections are in the following areas:-
1. Housecall\Quarantine - These aren't a particular problem as they're quarantined, but run housecall anyway and empty the quarantine store to get rid of these.
2. SmitfraudFix file - We're finished with this, so it can be deleted.
3. Outlook email mailbox store - You can identify from the KAV log which emails are infected, located these emails, DO NOT open them, delete them and then empty the Outlook deleted items folder. Also delete the infected email in your email backup file. To completely clean your mailbox, it may be necessary to temporarily forward all of the clean emails you want to keep to a webmail account, delete your complete Outlook mailbox, create a new empty Outlook mailbox, and finally forward all of the emails back from the webmail account. Try findinga nd deleting the individual emails first.
4. System restore - the system restore cache can be purged as follows:
Create a clean system restore point
Click Start > Control Panel > System > System Restore Tab and click to put a tick in the " Turn off System Restore" checkbox, then click " Apply".
Reboot.
Click Start > Control Panel > System > System Restore Tab and click to remove the tick in the " Turn off System Restore" check box, and then click Apply > OK to create a new restore point and then close Control Panel.
The re-occuring BHO that you're detecting is probably the same thing every time, but being given a new random name at each reboot, so just deleting the lates t Dll file each time isn't enough, as you've found.
We need to try and identify what's behind the generation of the random names.
Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Step 1
Download WinPfind from http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip.
Extract it to your C:\ folder. This will create a folder called C:\WinPFind. Do not run it yet.
Step 2
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Open the C:\WinPFind folder and double-click on WinPFind.exe.
First, check that the settings are set as default, click configure scan options > Default > Apply.
The program will return to the main screen, Click " Start Scan" and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
When it is finished, the results of the scan will be displayed and a log file will be created at C:\WinPFind\WinPFind.txt (assuming that you extracted WinPFind to the folder specified in step 1).
Reboot as normal.
Copy and paste the full contents of the log file C:\WinPFind\WinPFind.txt into your next post.
Thanks,
Bod
opus-sante
16 Posts
0
August 24th, 2006 02:00
SV1 =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\System32\DLA\DLASHX_W.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91FBE689-8C8B-4552-AF09-BAB88E11630A}
= C:\WINDOWS\system32\ssqrq.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\system32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
SoundMAXPnP C:\Program Files\Analog Devices\Core\smax4pnp.exe
IgfxTray C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
Persistence C:\WINDOWS\system32\igfxpers.exe
DMXLauncher C:\Program Files\Dell\Media Experience\DMXLauncher.exe
ISUSPM Startup "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
ISUSScheduler "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
DLA C:\WINDOWS\System32\DLA\DLACTRLW.EXE
SpeedTouch USB Diagnostics "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
Motive SmartBridge C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
avgnt "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
SSBkgdUpdate "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
PaperPort PTD C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
IndexSearch C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
SetDefPrt C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
ControlCenter2.0 C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
system.ini 0
win.ini 0
bootini 0
services 0
startup 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
NoCDBurning 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
NoDriveTypeAutoRun 145
{2C59F0B9-0AE9-1033-0103-060416200001} "C:\Program Files\Common Files\{2C59F0B9-0AE9-1033-0103-060416200001}\Update.exe" mc-110-12-0000272
DisableRegistryTools 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
= cryptnet.dll
= cscdll.dll
= igfxdev.dll
= wlnotify.dll
= wlnotify.dll
= sclgntfy.dll
= WlNotify.dll
= C:\WINDOWS\system32\ssqrq.dll
= wlnotify.dll
= WgaLogon.dll
= wincqt32.dll
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/23/2006 11:27:19 PM
opus-sante
16 Posts
0
August 24th, 2006 02:00
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
UPX! 4/18/2005 1:49:26 PM 57344 C:\WINDOWS\Unwash6.exe
PEC2 8/4/2004 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 8/2/2006 9:22:50 PM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/2/2006 9:22:50 PM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 6:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 6:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/4/2004 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/23/2006 11:20:12 PM S 2048 C:\WINDOWS\bootstat.dat
8/20/2006 5:52:54 PM H 54156 C:\WINDOWS\QTFont.qfn
8/1/2006 11:08:08 AM HS 7680 C:\WINDOWS\Thumbs.db
6/30/2006 6:45:12 PM H 0 C:\WINDOWS\inf\oem17.inf
7/19/2006 12:30:00 PM RHS 88 C:\WINDOWS\system32\7EFD1994D8.sys
7/19/2006 12:30:00 PM HS 3766 C:\WINDOWS\system32\KGyGaAvL.sys
8/9/2006 4:33:04 PM HS 279134 C:\WINDOWS\system32\qrqss.bak1
8/23/2006 5:59:58 PM HS 637611 C:\WINDOWS\system32\qrqss.bak2
8/23/2006 10:37:24 PM HS 637079 C:\WINDOWS\system32\qrqss.ini
8/23/2006 11:26:56 PM HS 637241 C:\WINDOWS\system32\qrqss.ini2
8/23/2006 10:45:18 PM HS 637079 C:\WINDOWS\system32\qrqss.tmp
8/9/2006 4:32:44 PM HS 573492 C:\WINDOWS\system32\ssqrq.dll
7/25/2006 5:51:10 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
7/5/2006 8:21:58 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917422.cat
7/28/2006 8:16:08 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat
7/27/2006 10:00:28 AM S 10337 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat
7/21/2006 5:03:14 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat
6/26/2006 3:47:22 PM S 11929 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920683.cat
7/13/2006 10:24:46 AM S 13050 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921398.cat
7/14/2006 12:13:00 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921883.cat
7/14/2006 11:53:20 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922616.cat
7/20/2006 5:48:30 PM S 13885 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem18.CAT
8/23/2006 11:20:16 PM H 12288 C:\WINDOWS\system32\config\default.LOG
8/23/2006 11:20:36 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/23/2006 11:20:12 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
8/23/2006 11:21:46 PM H 1024 C:\WINDOWS\system32\config\software.LOG
8/23/2006 11:20:20 PM H 1024 C:\WINDOWS\system32\config\system.LOG
8/9/2006 11:00:40 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
6/30/2006 11:21:58 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
6/30/2006 11:21:58 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\610XKRMT\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CP2NST2H\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G5C7WX01\desktop.ini
6/30/2006 11:21:58 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YXATGP8D\desktop.ini
7/19/2006 8:04:34 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\e5263019-2817-47a2-a95b-a73d74a6d869
7/19/2006 8:04:34 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
6/30/2006 11:21:58 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\26ddc2b5-de5b-4d5f-8b96-5b6afc77e24b
6/30/2006 11:21:58 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c8e8e00a-56ad-4042-955b-83218d0a75f9
6/30/2006 11:21:58 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e49a2097-1c61-4b8d-8884-c769148b9d3d
6/30/2006 11:21:58 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/23/2006 11:18:46 PM H 6 C:\WINDOWS\Tasks\SA.DAT
Microsoft Corporation 8/4/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Borland Software Corporation 10/7/2003 2:39:00 PM 184320 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Sonic Solutions 5/3/2006 2:31:56 PM 1019904 C:\WINDOWS\SYSTEM32\cmdvdpak.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/5/2005 8:22:04 PM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
InstallShield Software Corporation6/10/2005 11:43:18 AM 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 7/26/2006 3:03:14 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel(R) Corporation 12/9/2004 2:44:58 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 6:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
6/30/2006 11:54:52 PM 1824 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
7/20/2006 6:22:04 PM 812 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
8/10/2004 2:04:12 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/20/2006 5:49:14 PM 1556 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
6/30/2006 11:42:20 AM 1740 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
6/30/2006 2:07:42 PM 1672 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
6/30/2006 2:25:16 PM 305 C:\Documents and Settings\All Users\Application Data\addr_file.html
8/10/2004 1:57:42 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/18/2006 10:15:34 AM 1761 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
8/10/2004 2:04:12 PM HS 84 C:\Documents and Settings\Hakim\Start Menu\Programs\Startup\desktop.ini
8/19/2006 4:57:14 PM 751 C:\Documents and Settings\Hakim\Start Menu\Programs\Startup\palmOne Registration.lnk
7/25/2006 5:45:38 PM 650 C:\Documents and Settings\Hakim\Start Menu\Programs\Startup\SpywareGuard.lnk
8/10/2004 1:57:42 PM HS 62 C:\Documents and Settings\Hakim\Application Data\desktop.ini
8/5/2006 6:02:46 PM 5120 C:\Documents and Settings\Hakim\Application Data\dvd.bmk
8/21/2006 6:31:48 PM 50944 C:\Documents and Settings\Hakim\Application Data\GDIPFONTCACHEV1.DAT
6/30/2006 3:36:50 PM HS 88 C:\Documents and Settings\Hakim\Application Data\ZPUQPMQDC8BKG5QST7A9QKXGJU
Bod99
561 Posts
0
August 24th, 2006 19:00
Hi,
Thanks for the WinPFind log, It's taking a bit of time going through it and checking the entries, so I'll get back to you tomorrow with my next set of instructions.
Bod
Bod99
561 Posts
0
August 25th, 2006 17:00
I've been through the WinPFind log and have found signs of a hidden Vundo infection. We'll try using the standard tool on this first.
Download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click " Scan for Vundo".
When the scan is complete, click " Remove Vundo".
You will receive a prompt, " Do you want to remove the files?", click " YES"
Your desktop will then go blank as the program starts removing Vundo.
When completed, you will get a prompt that your computer will be shutdown, click " OK".
Re-start your computer.
A log file is generated, C:\vundofix.txt.
I will need a copy of this log as your next post.
Thanks,
Bod
Bod99
561 Posts
0
August 25th, 2006 17:00
Thanks for the Vundofix log, as you'll have seen it failed to delete one of the files, so we'll try a manual delete.
Download Killbox from http://www.downloads.subratam.org/KillBox.zip. Once it is downloaded extract it to c:\killbox.
Step 1
Run Killbox.
Select Replace on Reboot.
Copy and paste the file name below to the Full path of file to delete box.
C:\WINDOWS\system32\ssqrq.dll
Put a check next to unregister .dll.
Also put a check next to Use dummy. and End Explorer Shell While Killing File
If available, put a check next to Unregister .dll Before Deleting
Click the red-and-white Delete File button.
Click Yes at the Delete on Reboot prompt.
Click Yes at the Do You Want to Reboot Now prompt.
If you still get the BHO message when you re-start, run Vundofix again.
Step 2
Download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click " Scan for Vundo".
When the scan is complete, click " Remove Vundo".
You will receive a prompt, " Do you want to remove the files?", click " YES"
Your desktop will then go blank as the program starts removing Vundo.
When completed, you will get a prompt that your computer will be shutdown, click " OK".
Re-start your computer.
A log file is generated, C:\vundofix.txt.
I will need a copy of this new log as your next post.
Thanks,
Bod
opus-sante
16 Posts
0
August 25th, 2006 17:00
VundoFix V6.1.2
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.bak2
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.tmp
C:\WINDOWS\system32\ssqrq.dll Could not be deleted.
C:\WINDOWS\system32\qrqss.ini Has been deleted!
C:\WINDOWS\system32\qrqss.bak1 Has been deleted!
C:\WINDOWS\system32\qrqss.bak2 Has been deleted!
C:\WINDOWS\system32\qrqss.ini2 Has been deleted!
C:\WINDOWS\system32\qrqss.tmp Has been deleted!
Done!
opus-sante
16 Posts
0
August 25th, 2006 19:00
VundoFix V6.1.2
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.bak2
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.tmp
C:\WINDOWS\system32\ssqrq.dll Could not be deleted.
C:\WINDOWS\system32\qrqss.ini Has been deleted!
C:\WINDOWS\system32\qrqss.bak1 Has been deleted!
C:\WINDOWS\system32\qrqss.bak2 Has been deleted!
C:\WINDOWS\system32\qrqss.ini2 Has been deleted!
C:\WINDOWS\system32\qrqss.tmp Has been deleted!
Done!
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\ssqrq.dll Has been deleted!
C:\WINDOWS\system32\qrqss.ini Has been deleted!
C:\WINDOWS\system32\qrqss.bak1 Has been deleted!
Done!
Bod99
561 Posts
0
August 25th, 2006 21:00
Thanks for the Vundofix logs. As you'll have seen, the second run of Vundofix you did deleted all the files found, so if you're still getting the BHO warning, there must be something else.
I'd like another WinPFinf log please.
Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Open the C:\WinPFind folder and double-click on WinPFind.exe.
First, check that the settings are set as default, click configure scan options > Default > Apply.
The program will return to the main screen, Click " Start Scan" and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
When it is finished, the results of the scan will be displayed and a log file will be created at C:\WinPFind\WinPFind.txt (assuming that you extracted WinPFind to the folder specified in step 1).
Copy and paste the full contents of the log file C:\WinPFind\WinPFind.txt into your next post.
And "Yes", we are getting closer to solving this!
Thanks,
Bod