Scan your PC for Errors
Go Back   PC Help Forum » Community » Unfinished Threads
Reload this Page Big spyware problems
Register for a Free Account

Unfinished Threads - Big spyware problems posted in the Community forums; First off i just want to say thanks to everybody on the sight that helps people with their computer problems, such as myself. Anyway, to the problems. About 2 weeks ...

JOIN US NOW to remove these Ads


Reply
Page 1 of 5 1 2345
Similar discussions...
Thread Thread Starter Forum Replies Last Post
[Resolved] Mouse stops responding, leads to big problems... Bravo86 PSU and Overheating Issues 8 08-19-2007 10:22 PM
[Resolved] Spyware Problems Angelinaa [Fixed] Hijackthis! Logs 2 02-16-2007 01:35 AM
big time pc problems bigbren All other Hardware 3 10-23-2006 03:52 AM
[Fixed] spyware problems davesmith20 [Fixed] Hijackthis! Logs 13 05-22-2006 12:41 PM
  #1  
Old 09-15-2007
Bronze Member
  
Join Date: Aug 2005
Posts: 61
brent - See this Members User comments on their Profile page
Default Big spyware problems
First off i just want to say thanks to everybody on the sight that helps people with their computer problems, such as myself. Anyway, to the problems.
About 2 weeks ago my computer started freezing about every 1.5 seconds for a quick a short amount of time (around .3 seconds)...During the short freeze, under the task manager, my CPU usage spikes up to 100%...
Also, almost everytime i log in i get a message saying "Buffer overrun detected! Program: C\windows\explorer.exe" A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated."
Today, i turned on the computer, went to dinner and came back to see my desktop changed to a black backround with red writing saying "spyware detected, your ip adress is ...etc", when i try to change the backround, all the buttons are greyed out, and when i hit control alt delete the "task manager" button is also greyed out (my computer is set up so when i ctrl alt dlt i get taken to a screen with several options, one being task manager)
I also am getting tons of pop ups, many of which dont actually produce a page but when i alt+tab, i can see the internet page running in the backround. (I know they pop up because the page im currently on gets deselected, annoying especially when im typing)
And in my taskbar, i have a red circle with a white X saying my computer is infected, and i have a yellow triangle producing little popups at the bottom saying my computer is infected.
Trying to do some clean up work, i delted Spire inc., Netropa, Movtive, and e-zshopper from my programs files, since i know those arent mine.
Here is a hijackthis log (it looks nasty):
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:14:00 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\TGFjaG93c2tp\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nusrmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\retadpu1000106.exe
C:\Program Files\Police Tactical Training\mezek22011.exe
C:\DOCUME~1\Brent\LOCALS~1\Temp\frmwrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brent\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {0A9B2F1D-FE26-49CC-BEA3-4F343EE2DE52} - C:\WINDOWS\system32\yayvw.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\A7F1DVPU.dll (file missing)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\nmtbneap.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\mljkklj.dll (file missing)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A1580 6F97BDE4417E70CE7C0726B954E2C2832213329D26033AAC
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\pgfcrnxx.dll",forkonce
O4 - HKLM\..\Run: [mezek] C:\Program Files\Police Tactical Training\mezek22011.exe
O4 - HKLM\..\Run: [Windows Framework] C:\DOCUME~1\Brent\LOCALS~1\Temp\frmwrk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Brent\smss.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1129415681811
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129415675021
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O20 - AppInit_DLLs:
O20 - Winlogon Notify: mljkklj - mljkklj.dll (file missing)
O20 - Winlogon Notify: yayvw - C:\WINDOWS\system32\yayvw.dll
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\system32\tvdhlom.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGFjaG93c2tp\command.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Brent/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg

--
End of file - 11981 bytes



If you guys can solve any of these problems, i will be extremly happy!!!
Thank you!


__________________
-Brent
  #2  
Old 09-15-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 4,515
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile page
Default Re: Big spyware problems
Hello.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


__________________
< Prework | PCHF Rules |
  #3  
Old 09-15-2007
Bronze Member
  
Join Date: Aug 2005
Posts: 61
brent - See this Members User comments on their Profile page
Default Re: Big spyware problems
Hellow Chiaz, thanks for your help.
Here is the smitfraud txt, and another hjt log
(I ran superantispyware, which found many things, but i couldnt figure out how to save a log)

SmitFraudFix v2.224

Scan done at 6:27:04.35, Sat 09/15/2007
Run from C:\Documents and Settings\Brent\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\aim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ace16win.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brent


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brent\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BRENT\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\patcher.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/Brent/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Brent/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg"
"FriendlyName"=""


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdhqp.exe"

kdhqp.exe detected !
use a Rootkit scanner


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
DNS Server Search Order: 85.255.115.114
DNS Server Search Order: 85.255.112.238

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Compact Wireless-G USB Adapter - Packet Scheduler Miniport
DNS Server Search Order: 85.255.115.114
DNS Server Search Order: 85.255.112.238

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End








Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:31:26 AM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\aim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brent\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {0A9B2F1D-FE26-49CC-BEA3-4F343EE2DE52} - C:\WINDOWS\system32\yayvw.dll (file missing)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\pgfcrnxx.dll",forkonce
O4 - HKLM\..\Run: [mezek] C:\Program Files\Police Tactical Training\mezek22011.exe
O4 - HKLM\..\Run: [Windows Framework] C:\DOCUME~1\Brent\LOCALS~1\Temp\frmwrk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Brent\smss.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1129415681811
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129415675021
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer = 85.255.115.114,85.255.112.238
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.114 85.255.112.238
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mljkklj - mljkklj.dll (file missing)
O20 - Winlogon Notify: yayvw - C:\WINDOWS\system32\yayvw.dll (file missing)
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\system32\tvdhlom.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Brent/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg

--
End of file - 10425 bytes


__________________
-Brent
  #4  
Old 09-15-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 4,515
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile page
Default Re: Big spyware problems
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


__________________
< Prework | PCHF Rules |
  #5  
Old 09-16-2007
Bronze Member
  
Join Date: Aug 2005
Posts: 61
brent - See this Members User comments on their Profile page
Default Re: Big spyware problems
alot of my problems seem to be back to normal

SmitFraudFix v2.224

Scan done at 12:32:45.89, Sun 09/16/2007
Run from C:\Documents and Settings\Brent\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\Program Files\patcher.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7850C6-FE05-41FE-A2B5-ADB7384C98CB}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{254B31B0-B2DB-4480-B93F-A938972C04A1}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45844489-7DD6-44FA-BCC1-446992AD7184}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BC3AB536-63A5-4E05-B3FB-85E399202C85}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFA3272C-897C-461D-91DC-BAAC56A29B47}: NameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA07AF46-D412-4862-BDEA-A1EA2E2C44B6}: DhcpNameServer=85.255.115.114,85.255.112.238
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.115.114 85.255.112.238


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdhqp.exe"

kdhqp.exe detected !
use a Rootkit scanner


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


__________________
-Brent
  #6  
Old 09-16-2007
Bronze Member
  
Join Date: Aug 2005
Posts: 61
brent - See this Members User comments on their Profile page
Default Re: Big spyware problems
However, i still am unable to change my desktop (the bottons are all greyed out)...but besides that, everything seems to be running smoothly...Would you happen to know how to fix the computer freezing problem? (freezes every 1.5 seconds for about .3 seconds...makes watching videos and doing tasks frustrating)


__________________
-Brent
  #7  
Old 09-16-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 4,515
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile pagechiaz - See this Members User comments on their Profile page
Default Re: Big spyware problems
Not everything is really cleaned up.

You still have a rootkit, and possibly more on the computer. Your computer is and always will be at risk because of this rootkit. I cannot guranatee that everything will get cleaned out.

Rootkits are extremely hard to detect, and just as hard to clean out. You have to think that from this point forward, you can't trust your computer.


IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. In this case, I can't distinguish the variety yet - so we may succeed.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is below:
broadband help » Security 1. General Questions


Let me know what you decide.


__________________
< Prework | PCHF Rules |

Reply
Page 1 of 5 1 2345

Bookmarks

« very. very slow startup... | Azures »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On


Site Map - Top

All times are GMT +1. The time now is 01:30 AM.
Powered by vBulletin
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 RC7