Jump to content

Change Mode

whats going on?!?!


dragnmastr85
 Share

Recommended Posts

Ive been having a lot of issues with my comp and bitdefender has found so many trojans and crap I dont know how I managed to get it this screwed up but can anyone take a look at my hjt log and tell me if they see anything? Thanks in advance!

 

Logfile of HijackThis v1.99.1

Scan saved at 8:18:05 AM, on 9/20/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

D:\Diskeeper Corporation\Diskeeper\DkService.exe

D:\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

D:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

D:\Softwin\BitDefender10\vsserv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

D:\Winamp\winampa.exe

D:\Softwin\BitDefender10\bdmcon.exe

D:\Softwin\BitDefender10\bdagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

D:\Winamp\winamp.exe

D:\Mozilla Thunderbird\thunderbird.exe

D:\Trillian\trillian.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\mmc.exe

C:\WINDOWS\TEMP\winFA.tmp.exe

D:\Softwin\BitDefender10\bdlite.exe

D:\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe

D:\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe

D:\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe

C:\Documents and Settings\Adam\Desktop\HijackThis\HijackThis.exe

 

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ultraMon] "D:\UltraMon\UltraMon.exe" /auto

O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe

O4 - HKLM\..\Run: [bDMCon] "D:\Softwin\BitDefender10\bdmcon.exe" /reg

O4 - HKLM\..\Run: [bDAgent] "D:\Softwin\BitDefender10\bdagent.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - Startup: Mozilla Thunderbird.lnk = D:\Mozilla Thunderbird\thunderbird.exe

O4 - Startup: Trillian.lnk = D:\Trillian\trillian.exe

O4 - Global Startup: UltraMon.lnk = ?

O4 - Global Startup: Winamp.lnk = D:\Winamp\winamp.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Messenger\msmsgs.exe

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab

O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)

O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Softwin\BitDefender10\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Link to comment
Share on other sites

dragnmastr85,

 

It looks as if you kept company with the SmitFraud malware. There is a remnant of it on your log.

 

Let's do the following to make sure all of it is gone:

 

Please download SmitfraudFix (by S!Ri) to the Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract the files to the Desktop

A folder named SmitfraudFix is created.

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Only select option #1 - Search by typing 1 and press Enter

This program scans large amounts of files on your computer, so please be patient while it works.

When it is done, a log named rapport.txt is created, listing infected files (if present).

 

~~~~

To check there is nothing else 'hidden', also do the following:

 

Download SilentRunners:

http://www.silentrunners.org/Silent%20Runners.zip

Unzip it to the Desktop and double-click on it.

 

If an alert about scripting appears from your anti-virus, choose to allow the script to run.

When the scan is finished, a message pops up and a logfile is created on the Desktop.

 

Post the contents of the SilentRunners log file in your response, along with the C:\rapport.txt.

Link to comment
Share on other sites

I use firefox and winantivirus.com keeps intruding on it. Also bitdefender keeps reporting infacted files in system32and temp internet files. I scan both of them and remove everything infected but it keeps coming back. The virus it finds is trojan.pakes or something like that.

 

************RAPPORT:

 

SmitFraudFix v2.95

 

Scan done at 14:45:27.64, Wed 09/20/2006

Run from C:\Documents and Settings\Adam\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\ot.ico FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Adam\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Adam\FAVORI~1

 

C:\DOCUME~1\Adam\FAVORI~1\Antivirus Test Online.url FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» D:

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="sockspy.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

 

 

**********SILENT RUNNERS:

 

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

"{18AAC2C1-0BB6-1033-0224-041023030001}" = ""C:\Program Files\Common Files\{18AAC2C1-0BB6-1033-0224-041023030001}\Update.exe" mc-110-12-0000272" [file not found]

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

"UltraMon" = ""D:\UltraMon\UltraMon.exe" /auto" ["Realtime Soft"]

"WinampAgent" = "D:\Winamp\winampa.exe" [null data]

"BDMCon" = ""D:\Softwin\BitDefender10\bdmcon.exe" /reg" ["SOFTWIN S.R.L."]

"BDAgent" = ""D:\Softwin\BitDefender10\bdagent.exe"" ["SOFTWIN S.R.L."]

"DiskeeperSystray" = ""D:\Diskeeper Corporation\Diskeeper\DkIcon.exe"" ["Diskeeper Corporation"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{278B661A-14A8-D8B0-6AF4-03088B866149}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\unaoakg.dll" [null data]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "D:\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{6817A68A-A084-4A6C-9A43-32911B4E1F88}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\vtstt.dll" [null data]

{a43385f0-7113-496d-96d7-b9b550e3fcca}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\ixt0.dll" [file not found]

{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\xyopofqh.dll" [null data]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {HKLM...CLSID} = "Display Panning CPL Extension"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

-> {HKLM...CLSID} = "AlcoholShellEx"

\InProcServer32\(Default) = "D:\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "D:\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "D:\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "D:\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {HKLM...CLSID} = "Portable Media Devices"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

-> {HKLM...CLSID} = "ShellLink for Application References"

\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

-> {HKLM...CLSID} = "Shell Icon Handler for Application References"

\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "D:\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "sockspy.dll" [null data]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! vtstt\DLLName = "C:\WINDOWS\system32\vtstt.dll" [null data]

INFECTION WARNING! winbjt32\DLLName = "winbjt32.dll" [null data]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "D:\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"

-> {HKLM...CLSID} = "RtClkCtxMenu Class"

\InProcServer32\(Default) = "D:\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "D:\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "D:\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"

-> {HKLM...CLSID} = "RtClkCtxMenu Class"

\InProcServer32\(Default) = "D:\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

 

 

Default executables:

--------------------

 

HKCU\Software\Classes\piffile\

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\All Users\Documents\Shared Wallpapers\dsd.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]

 

 

Startup items in "Adam" & "All Users" startup folders:

------------------------------------------------------

 

C:\Documents and Settings\Adam\Start Menu\Programs\Startup

"Mozilla Thunderbird" -> shortcut to: "D:\Mozilla Thunderbird\thunderbird.exe" ["Mozilla Corporation"]

"Trillian" -> shortcut to: "D:\Trillian\trillian.exe" ["Cerulean Studios"]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"UltraMon" -> shortcut to: "C:\WINDOWS\Installer\{9CDA9CA7-C5F0-4308-B160-6A477D900D6D}\IcoUltraMon.ico" [null data]

"Winamp" -> shortcut to: "D:\Winamp\winamp.exe" ["Nullsoft"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Explorer Bars

 

Dormant Explorer Bars in "View, Explorer Bar" menu

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "D:\Messenger\msmsgs.exe" [MS]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]

BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]

BitDefender Scan Server, bdss, ""C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]

BitDefender Virus Shield, VSSERV, ""D:\Softwin\BitDefender10\vsserv.exe" /service" ["SOFTWIN S.R.L."]

Diskeeper, Diskeeper, ""D:\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]

InCD Helper, InCDsrv, "D:\Nero\Nero 7\InCD\InCDsrv.exe" ["Nero AG"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

StarWind iSCSI Service, StarWindService, "D:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor iP1600\Driver = "CNMLM75.DLL" ["CANON INC."]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 90 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 21 seconds.

---------- (total run time: 152 seconds)

Link to comment
Share on other sites

Please download SmitfraudFix (by S!Ri) to the Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract the files to the Desktop

We will use this later.

 

~~~~

Please download the following to the Desktop:

VundoFix.exe

* Double-click VundoFix.exe to run it

* Click: Scan for Vundo

* Once done scanning, click: Remove Vundo

* A prompt asking if you want to remove the files appears, click: Yes

* The Desktop goes blank as it starts removing Vundo.

* When completed, a prompt to shutdown the computer appears, click OK

* Turn the computer back on.

 

A log is created and found in C:\vundofix.txt

 

~~~~

Start the computer in Safe Mode :

-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

~~~~

Run HijackThis, Scan

Check box for:

 

O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)

 

Select: Fix checked

 

~~~~

Next, with Internet Explorer and Outlook Express closed

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click: Delete Files

When prompted, check: Delete all offline content

You can also check: Delete Cookies

(You will have to re-enter passwords at websites that require them.)

Click OK

 

Also, please empty the FireFox (if installed) browser cache:

Go to Tools > Options

Select Privacy and then the Cache tab

In the cache tab, click: Clear Cache Now

Click OK to close the Options window

 

Then, go to Start >Run and enter: cleanmgr

Select the drive to clean: C:\

Check the following boxes and then press OK to remove:

Temporary Files

Temporary Internet Files

RecycleBin

Agree to the prompt to perform the action.

 

~~~~

Open SmitfraudFix

Double-click smitfraudfix.cmd

Select Option 2 - Clean by typing 2 and press Enter (Deletes infected files)

You are prompted: Do you want to clean the registry? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

 

The tool also checks if a relevant file, wininet.dll, is infected.

You may be prompted to replace the infected file (if found).

Replace infected file? Answer Y (yes) and hit Enter to restore a clean file.

A report of the actions performed is found at C:\rapport.txt

 

~~~~

Restart the computer to complete the removal process.

 

~~~~

Please download ComboFix to the Desktop:

http://download.bleepingcomputer.com/sUBs/combofix.exe

Double-click combofix.exe

Follow the prompts.

(Don't click on the window while the program is running, it may cause your system to hang.)

 

A log, combofix.txt is produced.

 

~~~~

Please post the following:

From VundoFix: C:\vundofix.txt

From SmitFraudFix: C:\rapport.txt

The ComboFix.txt

A new HijackThis log

Link to comment
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 11:47:15 PM, on 9/20/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

D:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

D:\Winamp\winampa.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Winamp\winamp.exe

D:\Mozilla Thunderbird\thunderbird.exe

D:\Trillian\trillian.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

D:\Softwin\BitDefender10\bdagent.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

D:\Microsoft Office\OFFICE11\WINWORD.EXE

D:\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Adam\Desktop\HijackThis\HijackThis.exe

 

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ultraMon] "D:\UltraMon\UltraMon.exe" /auto

O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe

O4 - HKLM\..\Run: [bDMCon] "D:\Softwin\BitDefender10\bdmcon.exe" /reg

O4 - HKLM\..\Run: [bDAgent] "D:\Softwin\BitDefender10\bdagent.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Mozilla Thunderbird.lnk = D:\Mozilla Thunderbird\thunderbird.exe

O4 - Startup: Trillian.lnk = D:\Trillian\trillian.exe

O4 - Global Startup: UltraMon.lnk = ?

O4 - Global Startup: Winamp.lnk = D:\Winamp\winamp.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Messenger\msmsgs.exe

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Softwin\BitDefender10\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Link to comment
Share on other sites

Since you are starting anew, take a good look at the following suggestions to remain malware free:

Tony Klein’s article 'How Did I Get Infected In The First Place'

http://forums.spywareinfo.com/index.php?showtopic=60955

 

====

If you have any questions or comments, post back. Otherwise...

 

Good luck, dragnmastr85!!

Link to comment
Share on other sites

 Share

×
×
  • Create New...