Piriform Community Forums > Loss of privileges?

Piriform Community Forums > Computer Help and Discussion > Spyware Hell

scotiabahn

Sep 27 2007, 09:35 PM

Something new going on here..

My last problem a month or so back I managed to sort simply following the Malware Removal guide, but no such luck this time round.

I can't bring up task manager and get an alert 'task manager has been disabled by your administrator' when I use ctrl/alt/del and no better when i try 'taskmgr' from the Run command box

Control Panel has vanished from my 'start' list (which is particularly scary) and I can't get into Program Access and Defaults

Not sure what's going on, but I got a few weird popups while I was surfing at one point this afternoon, including a voice telling me that they could help me make money on the property market... That was when I worked out I might have a problem

Anyhow... I've worked my way through the standard list and here are the logs:-

First off, Bitdefender

BitDefender Online Scanner - Real Time Virus Report

Generated at: Thu, Sep 27, 2007 - 19:27:00

--------------------------------------------------------------------------------

Scan Info

Scanned Files
290292

Infected Files
1

Virus Detected

Win32.Bagle.M@mm
1

--------------------------------------------------------------------------------

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

Next is SuperAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/27/2007 at 08:19 PM

Application Version : 3.9.1008

Core Rules Database Version : 3314
Trace Rules Database Version: 1316

Scan type : Complete Scan
Total Scan Time : 00:46:48

Memory items scanned : 417
Memory threats detected : 0
Registry items scanned : 5820
Registry threats detected : 0
File items scanned : 38356
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\family\Cookies\family@ads.techguy[2].txt

Trojan.Downloader-Gen/NoMultiTask
C:\SYSTEM VOLUME INFORMATION\_RESTORE{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP191\A0049180.DLL

And now for AVG anti-spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:02:23 27/09/2007

+ Scan result:

HKU\S-1-5-21-1343024091-838170752-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A82BE883-EE51-4FAB-85B4-9432C6056673} -> Adware.VipSearcher : Cleaned.
C:\WINDOWS\system32\Tools\Restart.exe -> Not-A-Virus.Tool.Win32.RestartCounter : Cleaned.
C:\Documents and Settings\family\Cookies\family@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.

::Report end

and the usual finish, HijackThis...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:21:14, on 27/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: KHENXBCNCVHMWZNN - Unknown owner - C:\DOCUME~1\family\LOCALS~1\Temp\KHENXBCNCVHMWZNN.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7521 bytes

Any suggestions on how I get out of this would be much appreciated...

Thanks.

AndyManchesta

Sep 28 2007, 07:17 AM

Hi scotiabahn,

There's not really much showing there to explain the problems but we can start with afew scans to have a closer look, regarding TaskManager and the lack of Control Panel etc.. that will likely just be policy restrictions that have been added so that part should be simple enough to fix but its worth making sure there's no trojans first so the damage doesnt keep being done, BitDefenders detection of bagle is a concern as thats a particularly nasty worm that can add a rootkit to hide files and also cause damage to prevent you booting into safe mode as well as deleting files from Antivirus programs as soon as they open but as the scan report doesnt show where the file is its difficult to know for sure if it is bagle or not,

Run HijackThis and choose Do A System Scan then place a check next to these entries

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Goto Start > Run > then type or copy and paste

sc delete KHENXBCNCVHMWZNN

Press OK and you will just notice the cmd screen flash on then off again and the service will be removed

Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad

CODE

regedit.exe /e checkreg1.txt "HKEY_CURRENT_USER\Software\Policies\Microsoft"
regedit.exe /e checkreg2.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft"
regedit.exe /e checkreg3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit.exe /e checkreg4.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
TYPE checkreg*.txt >> Result.txt
del /q Checkreg*.txt

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop

Double click Check.bat and it will export the information from the registry and save it to a text file named Result.txt which will save to the desktop, please attach that text file into your next reply. To attach a file to a new post, click browse under the reply window and locate the Result.txt from your desktop then click Upload

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Please then post back the Combofix log, the policy keys export and anew HijackThis log

Cheers

scotiabahn

Sep 28 2007, 08:28 AM

Hi Andy!

Thanks for your help... again... although I have managed to sort out a few things on my own from what I learnt the last time around...

Anyway... here's the next batch of scans...

Ran the HJT as requested, and it reset my home page to MSN.com... hardly a favourite but even I can change that once the rest is sorted

Did the delete...

Did Check.bat and I've uploaded the file as described...

Here's the Combofix log...

ComboFix 07-09-21.2 - "family" 2007-09-28 9:04:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.522 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-28 09:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 17:47 2,660 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-27 17:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-27 17:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-27 17:46 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-27 17:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-27 16:11 1,536 --a------ C:\WINDOWS\system32\stdole32.dat
2007-09-07 14:08 <DIR> d-------- C:\Program Files\Paint.NET
2007-09-07 11:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-07 11:41 <DIR> d-------- C:\db6017ddf52684e072ba3754
2007-09-07 11:16 <DIR> d-------- C:\Program Files\MSBuild
2007-09-07 11:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-09-07 11:10 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-09-07 11:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-09-07 10:28 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-07 10:28 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-07 10:28 <DIR> d-------- C:\Program Files\Picasa2
2007-09-05 19:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-05 18:15 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-05 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-05 15:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-05 15:47 <DIR> d-------- C:\DOCUME~1\family\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 15:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 14:14 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-28 17:57 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-08-28 17:57 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-28 17:56 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 22:08 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-25 20:47 --------- d-------- C:\Program Files\Microsoft Money
2007-09-07 14:02 --------- d-------- C:\Program Files\ZipCentral
2007-09-07 10:28 --------- d-------- C:\Program Files\Google
2007-08-28 17:58 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-28 17:57 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-08-28 17:54 --------- d-------- C:\Program Files\Avanquest update
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSTITL.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSTEXT.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSSTMP.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSSPEC.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSSCRP.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSREH_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSMET_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSCHOR.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRS____.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSTEXT.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSSE__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSS___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSROMC.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSPC__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSP___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSO___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSNN__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSM___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSJAPC.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSFS__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSFBE_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSFB__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSCSC_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSCS__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSC___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUS____.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INKPEN2_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2TEXT.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2SPEC.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2SCRI.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2METR.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2CHOR.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\HELST___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\HELSS___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\HELSM___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\HELSINKI.FOT
2007-03-20 16:27 9232 --a------ C:\DOCUME~1\family\mqdmmdfl.sys
2007-03-20 16:27 92064 --a------ C:\DOCUME~1\family\mqdmmdm.sys
2007-03-20 16:27 79328 --a------ C:\DOCUME~1\family\mqdmserd.sys
2007-03-20 16:27 66656 --a------ C:\DOCUME~1\family\mqdmbus.sys
2007-03-20 16:27 6208 --a------ C:\DOCUME~1\family\mqdmcmnt.sys
2007-03-20 16:27 5936 --a------ C:\DOCUME~1\family\mqdmwhnt.sys
2007-03-20 16:27 4048 --a------ C:\DOCUME~1\family\mqdmcr.sys
2007-03-20 16:27 25600 --a------ C:\DOCUME~1\family\usbsermptxp.sys
2007-03-20 16:27 22768 --a------ C:\DOCUME~1\family\usbsermpt.sys
2007-01-28 11:54 557056 --a------ C:\DOCUME~1\family\GoToAssist_phone__319_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 09:51]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 18:35]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 09:50]
"Cmaudio"="cmicnfg.cpl" []
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 11:51]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 09:02]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 11:00:00 C:\WINDOWS\Tasks\main backup.job"
- C:\WINDOWS\system32\ntbackup.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 09:10:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-09-28 9:14:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-28 09:14
C:\ComboFix2.txt ... 2007-09-05 13:16
.
--- E O F ---

And a new HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:19:33, on 28/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7286 bytes

And after that little lot, I have task manager and control panel back, and no nasty privilege messages anywhere that I had yesterday...

Has that sorted it?

Steve

AndyManchesta

Oct 5 2007, 01:23 PM

Hi Steve, thanks for your patience

Im sorry I didnt reply sooner but my ISP has been having some problems so Ive not had any Internet connection at home since last Friday and Ive been too busy with work to look for any alternative ways of getting online, I now have just over 200 emails to work through but Im hoping most are spam to make it easier to catch up

Can you repeat the policy key export and upload it again, its still showing alot of restrictive entries present but with you saying you can now access the Control Panel I'm not sure if that export was taken then one of the tools removed the policy values or if they still exist so a fresh export would make it clearer and we can easily remove any that remain

Thanks

Andy

scotiabahn

Oct 5 2007, 02:15 PM

Ok, I've rerun the check.bat export again. I've renamed the new result.txt as result2 to avoid confusion on the log here...

Thanks.

AndyManchesta

Oct 5 2007, 02:47 PM

Thanks Steve

That new export is fine so one of the tools you used earlier would of removed the restrictive policy values that were causing problems earlier, can you run a couple more scans when you have the time to make sure that Bagle worm detection from BitDefender wasn't accurate or if it was accurate to make sure it didnt run on your system as that worm can cause alot of problems, its not showing any signs in the Combofix log but its best to double check especially as BitDefender's results didn't show where it detected the file or what its name was

Run Kaspersky WebScanner

Please go HERE and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows [dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the fsbl.exe file.

Assuming the Kaspersky scan shows clear and Blacklight doesn't find any hidden files then Id just suggest reading Tony Klein's excellent article below to help avoid futher infections:
So how did I get Infected in the First Place?

If Kaspersky does find infections though or if Blacklight finds any hidden files please post back the logs and we can take it from there.

Cheers

Andy

scotiabahn

Oct 5 2007, 05:07 PM

Kaspersky took a fair while and it found a few things so I'll post the log from that then go play with t'other one...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 05, 2007 6:03:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 5/10/2007
Kaspersky Anti-Virus database records: 427842
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 93097
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:31:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\891104db49c388d99c18d9cb7b1ea7a0_9226631d-4f46-4a75-ba66-276481b58a62 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fe90735e35b8edaa78f7abc6fb860a01_9226631d-4f46-4a75-ba66-276481b58a62 Object is locked skipped
C:\Documents and Settings\family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\History\History.IE5\MSHist012007100520071006\index.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temp\Perflib_Perfdata_d94.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temp\~DF46E9.tmp Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Download\adaware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Download\adaware\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Download\adaware\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Download\adaware\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_family.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_family.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\GIPS.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_family.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\p2pce.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\voice.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSDP.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSIP.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP200\A0052612.exe Object is locked skipped
C:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP200\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Motive\btbb\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\WINDOWS\Motive\btbb\UninstallHelper.exe/WISE0004.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\WINDOWS\Motive\btbb\UninstallHelper.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B552B82B-8265-44B4-B218-6D08E7B955CA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP200\change.log Object is locked skipped

Scan process completed.

scotiabahn

Oct 5 2007, 05:12 PM

having a problem with blacklight beta....

graphical user interface version tells me it's out of evaluation period...

command line version blinks and vanishes when run...

suggestions?

AndyManchesta

Oct 5 2007, 11:32 PM

Thanks for letting me know about the Blacklight error, they had kept extending the beta when it expired but it looks like it may only be available in the Internet Security Suite now,

Use one of these below when you have the time but with Kaspersky not finding problems, the BitDefender detection for Bagle was possibly just for an email attachment as your logs look fine,

http://research.pandasecurity.com/archive/...rsion-1.07.aspx
http://www.grisoft.com/doc/products-avg-an...ootkit/us/crp/6
http://vil.nai.com/vil/stinger/rkstinger.aspx
http://www.trendmicro.com/download/rbuster.asp
http://www.sophos.com/products/free-tools/...otkit/download/

Kaspersky detected a file that Smitfraudfix uses to restart the PC and detected a file from your ISP which is used if its uninstalling or updating so that's fine to ignore, let me know if there's any remaining problems though or if the rootkit scan find any hidden files

Cheers

scotiabahn

Oct 7 2007, 03:07 PM

I've used AVG Rootkit scanner and it's found one hidden file. Rather than just remove it, I thought I'd log the report here first - it looks innocent enough, but what do I know

As there didn't seem to be a save function, I've copied the screen to a jpg and uloaded it - hope that works...

AndyManchesta

Oct 10 2007, 10:29 PM

Hi Steve,

Id agree it looks innocent enough as its a Microsoft file, can you check if you can locate the file or if it is hidden by going to Start > Run > then copy/paste

C:\WINDOWS\system32\drivers\

Press OK then right click an empty space in the drivers folder and click Arrange Icons By > Name and check for the sysaudio.sys file, if you find it right click the file and choose Properties then the Version tab and it should show System Audio WDM Filter as the description and Microsoft as the company.

Cheers

scotiabahn

Oct 11 2007, 08:09 AM

QUOTE(AndyManchesta @ Oct 10 2007, 11:29 PM)

Yes, it is that version - looks like we're sorted.

Many thanks

Steve

AndyManchesta

Oct 17 2007, 02:02 PM

Cheers Steve,

Let us know if you have more problems anytime

Happy Surfing

Andy

scotiabahn

Nov 20 2007, 10:02 AM

I would normally start a new topic, but I've basically got the same problem as before - loss of provileges and task manager. I've been trying to follow through with the previous guidance but I'm having a problem with CombiFix which I think was the big killer last time around. I've deleted the old version from my desktop and tried downloading it from various sources but every time I run it, it tells me I need a new version. Can anyone tell if there is a new version anywhere or what I should try instead?

Thanks.

AndyManchesta

Nov 20 2007, 10:48 AM

Hi Steve,

Combofix cannot be used for the time being due to the expiry date that is written into the tool, the developer will have to release a newer version for it to run correctly so until that happens you will need to use other tools, if the restrictions have returned then its likely the system has been reinfected so its best to start by posting a HijackThis log so we can see if anything new is showing then we can clean things up either manually or by using other programs.

Cheers

scotiabahn

Nov 20 2007, 10:57 AM

QUOTE(AndyManchesta @ Nov 20 2007, 10:48 AM)

Bother...

That's a real shame, that was very useful...

OK, I'll get on to the HJT as soon as my current SuperAntiSpyware run is complete...

Thanks, Andy, I'll be back later...

AndyManchesta

Nov 20 2007, 11:02 AM

Yeah it is a shame but hopefully it will not be for long, sUBs must be busy or unable to get online but Im sure he will get CF updated when he can, when you post the HJT log can you also post a Smitfraudfix report to see if that shows any problems. Im sure you've used it plenty of times but here's the setup instructions if needed

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Thanks

scotiabahn

Nov 20 2007, 11:45 AM

Here's HijackThis... now I'll go play with SmitFraud...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:34, on 20/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol629.txt
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7490 bytes

and here's the SMitFraudFix...

Scan done at 11:47:42.28, 20/11/2007
Run from C:\Documents and Settings\family\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\family

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\family\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\sol629.txt"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

AndyManchesta

Nov 20 2007, 02:43 PM

Thanks Steve,

You should print out these instructions, or copy them to a Notepad file and save it to your desktop for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Download HostXpert from here

http://www.funkytoad.com/download/HostsXpert.zip

Extract the folder but no need to use it yet as its likely the hosts file will be modified again while the trojans are still running.

Run HijackThis and choose Do A System Scan then place a check next to these entries

O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol629.txt

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Click Config... in the bottom right corner of hijackthis and click Misc Tools (Or reopen HijackThis and click Open the Misc tools section)

Then click Delete a file on reboot

In the File Name field, copy and paste this:

C:\WINDOWS\system32\sol629.txt

Then click Open

Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click Yes

Your system should then reboot

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt

Next Open the HostsXpert program and click Restore MS Hosts File and OK at the prompt, you can then exit the program (If you use any protective Hosts files such as HpHosts or MVPs Hosts then these will need to be reinstalled, HostsXpert does have an download Option though to allow either of those hosts files to be added)

Download Deckard's System Scanner (DSS) to your Desktop.

**Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt back on here. Please also attach extra.txt to your post.

To attach a file to a new post, click browse under the reply window and copy and paste this into it C:\Deckard\System Scanner\extra.txt then click Upload

Let me know if you have any problems and if you still cannot access Task Manager or Control Panel etc.. after using SmitFraudfix then please also upload a policy key export which we used earlier in this topic

Thanks

scotiabahn

Nov 20 2007, 03:09 PM

that sounds a bit fiddly... probably worth giving it my undivided attention this evening rather than trying to do it piecemeal at the moment...

Thanks, Andy - I'll get back to you with the results in due course...

AndyManchesta

Nov 20 2007, 03:14 PM

That sounds good to me as Im about to go out for afew hours

The steps should be simple enough but just let me know if you have any problems or questions and I'd be happy to help if I can

Cheers

scotiabahn

Nov 20 2007, 07:37 PM

OK, first things first... followed the instructions and here's the first lot of results...

the SmitFraudFix output from rapport.txt

SmitFraudFix v2.253

Scan done at 18:11:52.67, 20/11/2007
Run from C:\Documents and Settings\family\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.downloads1.kaspersky-labs.com
192.168.200.3 ftp.downloads2.kaspersky-labs.com
192.168.200.3 ftp.downloads3.kaspersky-labs.com
192.168.200.3 ftp.f-secure.com
192.168.200.3 ftp.kasperskylab.ru
192.168.200.3 ftp.sophos.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 viruslist.ru
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3 www.avp.ch
192.168.200.3 www.avp.com
192.168.200.3 www.avp.ru
192.168.200.3 www.awaps.net
192.168.200.3 www.ca.com
192.168.200.3 www.f-secure.com
192.168.200.3 www.fastclick.net
192.168.200.3 www.grisoft.com
192.168.200.3 www.kaspersky-labs.com
192.168.200.3 www.kaspersky.com
192.168.200.3 www.kaspersky.ru
192.168.200.3 www.mcafee.com
192.168.200.3 www.my-etrust.com
192.168.200.3 www.nai.com
192.168.200.3 www.networkassociates.com
192.168.200.3 www.sophos.com
192.168.200.3 www.symantec.com
192.168.200.3 www.symantec.com
192.168.200.3 www.trendmicro.com
192.168.200.3 www.viruslist.com
192.168.200.3 www.viruslist.ru
192.168.200.3 www.virustotal.com
192.168.200.3 www3.ca.com

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Next...
the DSS output from main.txt

Deckard's System Scanner v20071014.68
Run by family on 2007-11-20 19:21:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 2 Restore Point(s) --
2: 2007-11-20 19:21:33 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2007-11-20 10:30:31 UTC - RP1 - System Checkpoint

Performed disk cleanup.

-- HijackThis (run as family.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:22:02, on 20/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\family\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\family.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol629.txt
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7296 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070905-190928-952 O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
backup-20070927-173227-841 O20 - AppInit_DLLs: C:\WINDOWS\system32\stdole32.dat
backup-20070927-173247-173 O20 - AppInit_DLLs: C:\WINDOWS\system32\stdole32.dat
backup-20070927-173727-601 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070927-173727-683 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070927-173746-664 O20 - AppInit_DLLs: C:\WINDOWS\system32\stdole32.dat
backup-20070927-221050-371 O20 - AppInit_DLLs: C:\WINDOWS\system32\stdole32.dat
backup-20070928-085839-274 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20070928-085839-568 F2 - REG:system.ini: Shell=Explorer.exe
backup-20070928-085916-355 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071001-145419-303 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
backup-20071001-145419-478 O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
backup-20071001-145419-576 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071004-100119-161 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071004-100119-795 O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
backup-20071019-170423-702 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071019-170423-860 O2 - BHO: Adsense Helper Object - {18FA53D3-B7A8-4309-8045-D43D6AA2DCE9} - C:\Program Files\Adsense Helper Object\aho.v5.dll
backup-20071019-170423-880 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071019-170423-911 O4 - HKLM\..\Run: [smgr] mgrs.exe
backup-20071030-151127-311 O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
backup-20071030-151127-330 O20 - AppInit_DLLs: C:\WINDOWS\system32\skuns.dat
backup-20071030-151127-531 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
backup-20071030-151127-677 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071030-154426-100 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
backup-20071030-154426-245 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071030-154427-832 O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll (file missing)
backup-20071030-165725-745 O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
backup-20071030-165725-890 O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
backup-20071120-090156-529 O20 - AppInit_DLLs: C:\WINDOWS\system32\sol629.txt
backup-20071120-090156-621 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
backup-20071120-090156-831 O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
backup-20071120-090156-842 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071120-090247-879 O20 - AppInit_DLLs: C:\WINDOWS\system32\sol629.txt
backup-20071120-102511-606 O4 - Startup: infos.exe
backup-20071120-102606-606 O4 - Global Startup: autos.exe
backup-20071120-102623-455 O20 - AppInit_DLLs: C:\WINDOWS\system32\sol629.txt
backup-20071120-112118-237 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
backup-20071120-112118-412 O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll (file missing)
backup-20071120-112118-445 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071120-112119-185 O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
backup-20071120-112119-274 O4 - Startup: infos.exe
backup-20071120-112119-286 O4 - Global Startup: autos.exe
backup-20071120-112149-926 O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
backup-20071120-180341-419 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20071120-180341-764 O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
backup-20071120-180341-815 O20 - AppInit_DLLs: C:\WINDOWS\system32\sol629.txt

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
R1 Ndcprtns - c:\windows\system32\drivers\ndcprtns.sys <Not Verified; Neesus Datacom Inc.; >
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 HCW848NT (Hauppauge Win/TV) - c:\windows\system32\drivers\hcw848nt.sys <Not Verified; Hauppauge Computer Works; WinTV>
R3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
R3 rtl8180 (Belkin 11Mbps Wireless Desktop Network Card Driver) - c:\windows\system32\drivers\bel6001.sys <Not Verified; Belkin Corporation; Belkin 11Mbps Wireless Desktop Network Card>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 AMDPCI - c:\docume~1\family\locals~1\temp\amdpci.sys (file missing)
S3 catchme - c:\docume~1\family\locals~1\temp\catchme.sys (file missing)
S3 CW10 (Belkin 11Mbps Wireless Win2K Driver) - c:\windows\system32\drivers\cw10.sys <Not Verified; Accton Technology Corporation; PRISM 802.11 Wireless LAN Adapter Driver>
S3 fsbl-standalone (F-Secure BlackLight Beta Engine Driver) - c:\docume~1\family\locals~1\temp\f-secure\blacklight\fsbldrv.sys (file missing)
S3 MEMSWEEP2 - c:\windows\system32\72.tmp (file missing)
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 pnicml - c:\docume~1\family\locals~1\temp\pnicml.sys (file missing)
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Wireless Adapter Configurator - c:\program files\bt home hub\wireless configuration\wirelessdaemon.exe <Not Verified; Tech Mahindra- PUNE; MBT- PUNE WirelessDaemon>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-11-16 12:00:00 1036 --a------ C:\WINDOWS\Tasks\main backup.job

-- Files created between 2007-10-20 and 2007-11-20 -----------------------------

2007-11-20 10:37:16 0 d-------- C:\Documents and Settings\family\Application Data\Uniblue
2007-11-20 10:37:10 0 d-------- C:\Program Files\Uniblue

-- Find3M Report ---------------------------------------------------------------

2007-11-20 18:11:58 2844 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-20 18:02:10 0 d-------- C:\Program Files\ZipCentral
2007-11-20 14:43:48 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-20 10:23:27 0 d-------- C:\Documents and Settings\family\Application Data\AVG7
2007-11-19 20:44:48 0 d-------- C:\Program Files\Microsoft Money
2007-11-18 09:57:33 0 d-------- C:\Program Files\Common Files\Motive
2007-11-16 13:46:15 0 d-------- C:\Documents and Settings\family\Application Data\Macromedia
2007-11-09 07:00:11 0 d-------- C:\Program Files\SpywareBlaster
2007-10-19 16:04:50 0 d-------- C:\Program Files\Adsense Helper Object
2007-10-15 19:25:06 16 --a------ C:\WINDOWS\popcinfo.dat
2007-10-03 16:33:57 0 d-------- C:\Program Files\Virgin Media Games
2007-10-03 16:33:57 0 d-------- C:\Program Files\Common Files
2007-10-03 16:33:57 0 d-------- C:\Program Files\Common Files\Oberon Media
2007-09-28 19:19:38 0 d-------- C:\Program Files\Motorola Phone Tools

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [03/06/2004 08:51]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [08/12/2003 17:35]
"nwiz"="nwiz.exe" [22/10/2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [03/06/2004 08:50]
"Cmaudio"="cmicnfg.cpl" []
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [30/11/2006 10:51]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 12:22]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [23/10/2007 09:02]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/09/2006 14:57]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [26/05/2007 20:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 07:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [27/03/2007 14:22]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [21/06/2007 13:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\sol629.txt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-11-20 19:22:39 ------------

And I've attached the 'extra.txt' file. All that has restored task manager, but I still don't have control panel or 'set program access and defaults' from the Start menu. It occurs to me that I might need yet another reboot, so I'll give that a try after I've finished this reply...

scotiabahn

Nov 20 2007, 07:47 PM

Oops... forgot to do the policy export bit...

Done it now and uploaded result.txt...

And the reboot didn't make a damn bit of difference... thought it was worth a try... i was trained on 'switch it off and start again'...

I also reran HijackThis again, because it looked like sol629.txt was still referenced in the various logs above - it was there so I've 'fixed it to get shot of it and here's another log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:05, on 20/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7388 bytes

AndyManchesta

Nov 20 2007, 09:05 PM

Cheers Steve,

I had a feeling that sol629.txt would still be showing

, do you know how your being infected with this as the HJT backups shows its been on the PC afew times ? , its blocking access to alot of Antivirus sites using the hosts file and grisoft.com is listed so its worth making sure that your AV is fully updated and run a full scan after you reset the Hosts file,

Please download The Avenger by Swandog46 to your Desktop

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all of the text contained in the code box below (making drivers to unload: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C):

CODE

drivers to unload:
pnicml

Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

Registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoControlPanel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List | %windir%\\system32\\winav.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | %windir%\\system32\\winav.exe

Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\sol629.txt
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\xlaherx.exe

Folders to Delete:
C:\Program Files\Adsense Helper Object

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

Thanks

scotiabahn

Nov 20 2007, 10:00 PM

The source is a blog with some very occasionally dodgy links... I need to surf safer... I'd got lulled into a false sense of security with Combofix...

AVG updates every morning and runs every lunchtime so it's in pretty reasonable nick (I thought...)

Here's the Avenger log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uxblkjlg

*******************

Script file located at: \??\C:\Documents and Settings\usrkmvxw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver pnicml unloaded successfully.

Could not delete registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List|%windir%\\system32\\winav.exe
Deletion of registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List|%windir%\\system32\\winav.exe failed!

Could not process line:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List|%windir%\\system32\\winav.exe
Status: 0xc0000034

Could not delete registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|%windir%\\system32\\winav.exe
Deletion of registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|%windir%\\system32\\winav.exe failed!

Could not process line:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|%windir%\\system32\\winav.exe
Status: 0xc0000034

File C:\WINDOWS\system32\bronto.dll not found!
Deletion of file C:\WINDOWS\system32\bronto.dll failed!

Could not process line:
C:\WINDOWS\system32\bronto.dll
Status: 0xc0000034

File C:\WINDOWS\system32\proper.exe not found!
Deletion of file C:\WINDOWS\system32\proper.exe failed!

Could not process line:
C:\WINDOWS\system32\proper.exe
Status: 0xc0000034

File C:\WINDOWS\system32\sol629.txt not found!
Deletion of file C:\WINDOWS\system32\sol629.txt failed!

Could not process line:
C:\WINDOWS\system32\sol629.txt
Status: 0xc0000034

File C:\WINDOWS\system32\winter.exe not found!
Deletion of file C:\WINDOWS\system32\winter.exe failed!

Could not process line:
C:\WINDOWS\system32\winter.exe
Status: 0xc0000034

File C:\WINDOWS\xlaherx.exe not found!
Deletion of file C:\WINDOWS\xlaherx.exe failed!

Could not process line:
C:\WINDOWS\xlaherx.exe
Status: 0xc0000034

Folder C:\Program Files\Adsense Helper Object deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoControlPanel deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

and now the HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:18, on 20/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7255 bytes

I'm sorry you had to craft the script just for me, it is much appreciated, and I will endeavour not to get suckered into this situation again. I managed to fix the last one or two problems too easily. Everything is now working again and I really want it to stay that way!

scotiabahn

Nov 21 2007, 07:15 AM

QUOTE

its blocking access to alot of Antivirus sites using the hosts file and grisoft.com is listed so its worth making sure that your AV is fully updated and run a full scan after you reset the Hosts file,

I was wondering overnight exactly what this Hosts file is, and what it's used for - is it something I should keep an eye on or specifically be protecting? I've not come across it before...

AndyManchesta

Nov 21 2007, 11:59 AM

Hi Steve,

QUOTE

I was wondering overnight exactly what this Hosts file is, and what it's used for - is it something I should keep an eye on or specifically be protecting? I've not come across it before...

With this trojan getting onto your PC afew times now a protective hosts file maybe worth considering to help reduce the chances of getting more infections on the machine, the hosts file maps domain names to IP addresses so for example if you had www.google.com in your hosts file and then the IP 87.248.113.14 next to it opening www.google.com with your browser will actually open www.yahoo.com instead as the IP address belongs to them.

QUOTE

AVG updates every morning and runs every lunchtime so it's in pretty reasonable nick (I thought...)

AVG may not have been affected by that hosts file as it was only blocking the main domain www.grisoft.com and not the download locations like its doing with the Kaspersky site but it was worth making sure, same for Windows Updates as that was being blocked so its worth seeing if there's anything available http://windowsupdate.microsoft.com

The hosts file can be used to help protect the pc from malicious sites but it can also be used my malware to either block access to security sites or redirect the browser when you open sites mentioned which can be dangerous if banking sites are listed as it would then be possible for them to redirect you to a fake login page to steal info when you attempt to access the genuine sites,

for the Smitfraud fix report

QUOTE

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.downloads1.kaspersky-labs.com
192.168.200.3 ftp.downloads2.kaspersky-labs.com
192.168.200.3 ftp.downloads3.kaspersky-labs.com
192.168.200.3 ftp.f-secure.com
192.168.200.3 ftp.kasperskylab.ru
192.168.200.3 ftp.sophos.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 viruslist.ru
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3 www.avp.ch
192.168.200.3 www.avp.com
192.168.200.3 www.avp.ru
192.168.200.3 www.awaps.net
192.168.200.3 www.ca.com
192.168.200.3 www.f-secure.com
192.168.200.3 www.fastclick.net
192.168.200.3 www.grisoft.com
192.168.200.3 www.kaspersky-labs.com
192.168.200.3 www.kaspersky.com
192.168.200.3 www.kaspersky.ru
192.168.200.3 www.mcafee.com
192.168.200.3 www.my-etrust.com
192.168.200.3 www.nai.com
192.168.200.3 www.networkassociates.com
192.168.200.3 www.sophos.com
192.168.200.3 www.symantec.com
192.168.200.3 www.symantec.com
192.168.200.3 www.trendmicro.com
192.168.200.3 www.viruslist.com
192.168.200.3 www.viruslist.ru
192.168.200.3 www.virustotal.com
192.168.200.3 www3.ca.com

192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com

192.168.200.3 refers to your own machine so every site listed above is being blocked, if you attempt to access them it will just redirect to your own pc and then show a standard page cannot be displayed error, some of them at the top like doubleclick and fastclick are fine to have in there as that would prevent them showing banner ads or adding cookies but most Antivirus sites are also being blocked as well as Microsoft and Windows Updates

You can get a protective hosts file and more details here

http://www.mvps.org/winhelp2002/hosts.htm

The below link shows what sites are blocked by that hosts file

http://www.mvps.org/winhelp2002/hosts.txt

The Avenger log looks good, just a couple of the entries were found but it failed on one which we can do again with a regfix and then give Kaspersky and blacklight a run to make sure there's no remaining problems

Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.

CODE

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=-
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=-

Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg (or right click and choose Merge) and allow it to be merged into the registry which will remove the entries.

Download Blacklight HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the fsbl.exe file.

Finally run Kaspersky WebScanner again to check for remaining files

Kaspersky Online Scanner
Read and Accept the Agreement
The program will launch and then begin downloading any newer definition files since you last used it
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop

Please then post back the Blacklight log if it finds hidden files and the Kaspersky log

Cheers

scotiabahn

Nov 21 2007, 02:24 PM

This Hosts file looks like an interesting source for trouble - I'm grateful for the info and I'll investigate further...

Windows Update was happy with me - if it was blocked, it must have been by the most recent problem...

Regedit done...

Blacklight ran and came up with nowt - here's the log:-

11/21/07 13:32:44 [Info]: BlackLight Engine 1.0.67 initialized
11/21/07 13:32:44 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/21/07 13:32:44 [Note]: 7019 4
11/21/07 13:32:44 [Note]: 7005 0
11/21/07 13:32:48 [Note]: 7006 0
11/21/07 13:32:48 [Note]: 7011 1768
11/21/07 13:32:49 [Note]: 7026 0
11/21/07 13:32:49 [Note]: 7026 0
11/21/07 13:32:52 [Note]: FSRAW library version 1.7.1024
11/21/07 13:41:43 [Note]: 2000 1012
11/21/07 13:43:04 [Note]: 7007 0

Kaspersky seems to be taking it's time, so I'll add it on later...

much later we get this from Kaspersky...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 21, 2007 3:58:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/11/2007
Kaspersky Anti-Virus database records: 462724
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 93736
Number of viruses found: 3
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:31:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\891104db49c388d99c18d9cb7b1ea7a0_9226631d-4f46-4a75-ba66-276481b58a62 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fe90735e35b8edaa78f7abc6fb860a01_9226631d-4f46-4a75-ba66-276481b58a62 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\family\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\family\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\family\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\family\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\History\History.IE5\MSHist012007112120071122\index.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temp\Perflib_Perfdata_60c.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Download\adaware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Download\adaware\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Download\adaware\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Download\adaware\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Program Files\BT Broadband Desktop Help\vendors\btbb\wwwcache\wt\deviceview\private\content\driven_dev\upgrade\McciContextUpgrade.exe/WISE0007.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\Program Files\BT Broadband Desktop Help\vendors\btbb\wwwcache\wt\deviceview\private\content\driven_dev\upgrade\McciContextUpgrade.exe WiseSFX: infected - 1 skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071030-151127-311.dll Infected: Backdoor.Win32.Small.cls skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_family.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_family.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\GIPS.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_family.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\p2pce.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\voice.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSDP.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSIP.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP2\A0001146.exe Object is locked skipped
C:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP2\A0001147.exe Object is locked skipped
C:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP2\A0001148.exe Object is locked skipped
C:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP2\A0001149.exe Object is locked skipped
C:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Motive\btbb\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\WINDOWS\Motive\btbb\UninstallHelper.exe/WISE0004.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\WINDOWS\Motive\btbb\UninstallHelper.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7C5C94D8-64D3-4DAD-8DCD-0808793AA4B4}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

AndyManchesta

Nov 22 2007, 02:59 AM

Cheers Steve,

That looks fine, its just detecting a couple of files belonging to Smitfraudfix and BT so they can be ignored, just check afew settings now to make sure the trojan hasnt made changes in other area's then Id say your all set

, Combofix has been updated as well if you needed to use it again anytime

Open a I.E browser window then goto Tools on the top bar then Internet Options

Goto The Advanced Tab and Press Restore Defaults
Goto The Security Tab, it will then be highlighting the Internet Zone, click the Default Level if its not grayed out then click Apply and OK to close the Security Settings screen.

Next check the Firewall and Security Center settings are correct, first goto Start > Control Panel > Firewall and check its the way you set it (On/Off) then goto Start > Control Panel > Security Center > and click Change the way Security Center alerts me on the left and make sure the notify options are set the way you want them

You can also delete the HijackThis backups as they are not needed now, Open Hijackthis, and click the Misc Tools button. Click the Backups button then Delete All and click Yes at any prompts

Run CCleaner to clear out the temp folders and then finally clear your System Restore points

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup

Let me know if there's still any problems on the PC and please read the Prevention guide as its got lots of excellent links and tips to help avoid malware problems

Thanks

scotiabahn

Nov 22 2007, 08:10 AM

Andy,

many thanks for everything. I've followed through with these last items and all is well again. I've looked at the prevention guide and I do need to make some changes - certainly the Hosts file and some changes to my firewall arrangements are definites. As we have 3 machines in the house, sorting them all out and keeping them in line could take a wee while, but I will do it as soon as I can... this weekend seems a likely candidate...

Thanks again.

Steve

AndyManchesta

Nov 24 2007, 07:34 AM

Your Welcome Steve,

Im glad I could help, hopefully the steps in the prevention guide will help you avoid more infections but just let us know if you have more problems anytime

Happy Surfing

Andy

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.