Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » Spyware / AdWare » Big spyware problems

Spyware / AdWare - Big spyware problems posted in the Security & Safety forums; First off i just want to say thanks to everybody on the sight that helps people with their computer problems, such as myself. Anyway, to the problems. About 2 weeks ...

JOIN US NOW to remove these Ads

PC Help Forum, the number one FREE computer support website in the search engines
Post New Thread  Reply
Page 1 of 6 1 2 3 4 5 > Last »
  #1  
Old 09-15-2007
brent's Avatar
Bronze Member
  
Join Date: Aug 2005
Posts: 61
brent - See this Members User comments on their Profile page
Default Big spyware problems
First off i just want to say thanks to everybody on the sight that helps people with their computer problems, such as myself. Anyway, to the problems.
About 2 weeks ago my computer started freezing about every 1.5 seconds for a quick a short amount of time (around .3 seconds)...During the short freeze, under the task manager, my CPU usage spikes up to 100%...
Also, almost everytime i log in i get a message saying "Buffer overrun detected! Program: C\windows\explorer.exe" A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated."
Today, i turned on the computer, went to dinner and came back to see my desktop changed to a black backround with red writing saying "spyware detected, your ip adress is ...etc", when i try to change the backround, all the buttons are greyed out, and when i hit control alt delete the "task manager" button is also greyed out (my computer is set up so when i ctrl alt dlt i get taken to a screen with several options, one being task manager)
I also am getting tons of pop ups, many of which dont actually produce a page but when i alt+tab, i can see the internet page running in the backround. (I know they pop up because the page im currently on gets deselected, annoying especially when im typing)
And in my taskbar, i have a red circle with a white X saying my computer is infected, and i have a yellow triangle producing little popups at the bottom saying my computer is infected.
Trying to do some clean up work, i delted Spire inc., Netropa, Movtive, and e-zshopper from my programs files, since i know those arent mine.
Here is a hijackthis log (it looks nasty):
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:14:00 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\TGFjaG93c2tp\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nusrmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\retadpu1000106.exe
C:\Program Files\Police Tactical Training\mezek22011.exe
C:\DOCUME~1\Brent\LOCALS~1\Temp\frmwrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brent\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {0A9B2F1D-FE26-49CC-BEA3-4F343EE2DE52} - C:\WINDOWS\system32\yayvw.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\A7F1DVPU.dll (file missing)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\nmtbneap.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\mljkklj.dll (file missing)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A1580 6F97BDE4417E70CE7C0726B954E2C2832213329D26033AAC
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\pgfcrnxx.dll",forkonce
O4 - HKLM\..\Run: [mezek] C:\Program Files\Police Tactical Training\mezek22011.exe
O4 - HKLM\..\Run: [Windows Framework] C:\DOCUME~1\Brent\LOCALS~1\Temp\frmwrk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Brent\smss.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1129415681811
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129415675021
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O20 - AppInit_DLLs:
O20 - Winlogon Notify: mljkklj - mljkklj.dll (file missing)
O20 - Winlogon Notify: yayvw - C:\WINDOWS\system32\yayvw.dll
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\system32\tvdhlom.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGFjaG93c2tp\command.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Brent/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg

--
End of file - 11981 bytes



If you guys can solve any of these problems, i will be extremly happy!!!
Thank you!


__________________
-Brent
  #2  
Old 09-15-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,502
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default Re: Big spyware problems
Hello.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
  #3  
Old 09-15-2007
brent's Avatar
Bronze Member
  
Join Date: Aug 2005
Posts: 61
brent - See this Members User comments on their Profile page
Default Re: Big spyware problems
Hellow Chiaz, thanks for your help.
Here is the smitfraud txt, and another hjt log
(I ran superantispyware, which found many things, but i couldnt figure out how to save a log)

SmitFraudFix v2.224

Scan done at 6:27:04.35, Sat 09/15/2007
Run from C:\Documents and Settings\Brent\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\aim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ace16win.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brent


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brent\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BRENT\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\patcher.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/Brent/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Brent/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg"
"FriendlyName"=""


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdhqp.exe"

kdhqp.exe detected !
use a Rootkit scanner


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
DNS Server Search Order: 85.255.115.114
DNS Server Search Order: 85.255.112.238

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Compact Wireless-G USB Adapter - Packet Scheduler Miniport
DNS Server Search Order: 85.255.115.114
DNS Server Search Order: 85.255.112.238

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End








Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:31:26 AM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\aim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brent\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {0A9B2F1D-FE26-49CC-BEA3-4F343EE2DE52} - C:\WINDOWS\system32\yayvw.dll (file missing)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\pgfcrnxx.dll",forkonce
O4 - HKLM\..\Run: [mezek] C:\Program Files\Police Tactical Training\mezek22011.exe
O4 - HKLM\..\Run: [Windows Framework] C:\DOCUME~1\Brent\LOCALS~1\Temp\frmwrk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Brent\smss.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1129415681811
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129415675021
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mljkklj - mljkklj.dll (file missing)
O20 - Winlogon Notify: yayvw - C:\WINDOWS\system32\yayvw.dll (file missing)
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\system32\tvdhlom.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Brent/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg

--
End of file - 10425 bytes


__________________
-Brent
  #4  
Old 09-15-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,502
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default Re: Big spyware problems
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
  #5  
Old 09-16-2007
brent's Avatar
Bronze Member
  
Join Date: Aug 2005
Posts: 61
brent - See this Members User comments on their Profile page
Default Re: Big spyware problems
alot of my problems seem to be back to normal

SmitFraudFix v2.224

Scan done at 12:32:45.89, Sun 09/16/2007
Run from C:\Documents and Settings\Brent\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\Program Files\patcher.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdhqp.exe"

kdhqp.exe detected !
use a Rootkit scanner


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


__________________
-Brent
  #6  
Old 09-16-2007
brent's Avatar
Bronze Member
  
Join Date: Aug 2005
Posts: 61
brent - See this Members User comments on their Profile page
Default Re: Big spyware problems
However, i still am unable to change my desktop (the bottons are all greyed out)...but besides that, everything seems to be running smoothly...Would you happen to know how to fix the computer freezing problem? (freezes every 1.5 seconds for about .3 seconds...makes watching videos and doing tasks frustrating)


__________________
-Brent

Reply
New! Norton Internet Security 2008 – Download Now Click Here
Page 1 of 6 1 2 3 4 5 > Last »

Bookmarks

« Opinions on different Anti-Malware software | HELP -- backdoor:win32/zonebac.genb! »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On