Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Thursday 28.11.2024 / 05:07
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help here is my log
Show topics
 
Forums
Forums
Help Here is my log
  Jump to:
 
Posted Message
alcocerpi
Suspended due to non-functional email address
_ 		2. May 2006 @ 17:58 _ Link to this message    Send private message to this user   
I'm getting the same http://www.theguardservices.com/ and blinking lights at the bottom right. Here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 9:50:25 PM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\swserv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\RDS\svcagnt.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pete\My Documents\Get Rid of Virus\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts:
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpC8F0.tmp
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinStartup] C:\WINDOWS\swserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Windows Desktop Security (dtsagntsvc) - Unknown owner - C:\Program Files\RDS\svcagnt.exe" /svc (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleCSService - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracleDB10g\product\10.1.0\db_1\bin\nmesrvc.exe
O23 - Service: OracleIdenASControl - Oracle Corporation - D:\oracle\iden\bin\nmesrvc.exe
O23 - Service: OracleIdenClientCache - Unknown owner - D:\oracle\iden\BIN\ONRSD.EXE
O23 - Service: OracleIdenProcessManager - Unknown owner - D:\oracle\iden\opmn\bin\opmn.exe
O23 - Service: OracleinfraASControl - Oracle Corporation - d:\oracle\infr\bin\nmesrvc.exe
O23 - Service: OracleinfraClientCache - Unknown owner - d:\oracle\infr\BIN\ONRSD.EXE
O23 - Service: OracleinfraProcessManager - Unknown owner - d:\oracle\infr\opmn\bin\opmn.exe
O23 - Service: OracleinfraTNSListener - Unknown owner - d:\oracle\infr\BIN\TNSLSNR.exe
O23 - Service: Oraclemidtier1ASControl - Oracle Corporation - C:\oracle\midtier1\bin\nmesrvc.exe
O23 - Service: Oraclemidtier1ClientCache - Unknown owner - C:\oracle\midtier1\BIN\ONRSD.EXE
O23 - Service: Oraclemidtier1ProcessManager - Unknown owner - C:\oracle\midtier1\opmn\bin\opmn.exe
O23 - Service: Oraclemidtier2ASControl - Oracle Corporation - C:\oracle\midtier2\bin\nmesrvc.exe
O23 - Service: Oraclemidtier2ProcessManager - Unknown owner - C:\oracle\midtier2\opmn\bin\opmn.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraClient\bin\omtsreco.exe
O23 - Service: OracleoraClientClientCache - Unknown owner - D:\oraClient\BIN\ONRSD.EXE
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracleDB10g\product\10.1.0\db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceASDB - Oracle Corporation - d:\oracle\infr\bin\ORACLE.EXE
O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracledb10g\product\10.1.0\db_1\bin\ORACLE.EXE
[ + quote]
Advertisement
_ 		__
JaPK
Senior Member
_ 		2. May 2006 @ 20:20 _ Link to this message    Send private message to this user   
Hi alcocerpi.

You don't have a firewall on your computer. Download and install one firewall.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

Ok, you got some infections....

Have you installed this Desktop Scout keylogger and screenshot software?

Cleaning instructions:

Move HijackThis into its own folder C:\HJT

Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download/
We'll use this later.

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

Fix the following entries with HijackThis (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts:
O4 - HKLM\..\Run: [WinStartup] C:\WINDOWS\swserv.exe


Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete this file (if found):
C:\WINDOWS\swserv.exe

Empty the Recycle Bin

Restart your computer normally.

Post a fresh HijackThis log and the contents of SmitfraudFix log to here and we'll continue.
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
alcocerpi
Suspended due to non-functional email address
_ 		3. May 2006 @ 04:51 _ Link to this message    Send private message to this user   
Hello and thanks,

Here is the contents of smitfraud with the latest HijackThis below it.
I deleted swserv.exe

SmitFraudFix v2.38

Scan done at 8:35:07.81, Wed 05/03/2006
Run from C:\Documents and Settings\Pete\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\twain32.dll FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pete\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Pete\FAVORI~1

C:\DOCUME~1\Pete\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

----------------------------------------------------------------

HiJackthis


Logfile of HijackThis v1.99.1
Scan saved at 8:49:02 AM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\RDS\svcagnt.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp66F7.tmp
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O23 - Service: Windows Desktop Security (dtsagntsvc) - Unknown owner - C:\Program Files\RDS\svcagnt.exe" /svc (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleCSService - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracleDB10g\product\10.1.0\db_1\bin\nmesrvc.exe
O23 - Service: OracleIdenASControl - Oracle Corporation - D:\oracle\iden\bin\nmesrvc.exe
O23 - Service: OracleIdenClientCache - Unknown owner - D:\oracle\iden\BIN\ONRSD.EXE
O23 - Service: OracleIdenProcessManager - Unknown owner - D:\oracle\iden\opmn\bin\opmn.exe
O23 - Service: OracleinfraASControl - Oracle Corporation - d:\oracle\infr\bin\nmesrvc.exe
O23 - Service: OracleinfraClientCache - Unknown owner - d:\oracle\infr\BIN\ONRSD.EXE
O23 - Service: OracleinfraProcessManager - Unknown owner - d:\oracle\infr\opmn\bin\opmn.exe
O23 - Service: OracleinfraTNSListener - Unknown owner - d:\oracle\infr\BIN\TNSLSNR.exe
O23 - Service: Oraclemidtier1ASControl - Oracle Corporation - C:\oracle\midtier1\bin\nmesrvc.exe
O23 - Service: Oraclemidtier1ClientCache - Unknown owner - C:\oracle\midtier1\BIN\ONRSD.EXE
O23 - Service: Oraclemidtier1ProcessManager - Unknown owner - C:\oracle\midtier1\opmn\bin\opmn.exe
O23 - Service: Oraclemidtier2ASControl - Oracle Corporation - C:\oracle\midtier2\bin\nmesrvc.exe
O23 - Service: Oraclemidtier2ProcessManager - Unknown owner - C:\oracle\midtier2\opmn\bin\opmn.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraClient\bin\omtsreco.exe
O23 - Service: OracleoraClientClientCache - Unknown owner - D:\oraClient\BIN\ONRSD.EXE
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracleDB10g\product\10.1.0\db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceASDB - Oracle Corporation - d:\oracle\infr\bin\ORACLE.EXE
O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracledb10g\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
[ + quote]
JaPK
Senior Member
_ 		3. May 2006 @ 05:34 _ Link to this message    Send private message to this user   
Hi alcocerpi. Have you installed this Desktop Scout to your computer (keylogger and screenshot software) ?

Cleaning Instructions:

Restart your computer to the safemode and choose your normal user account -> http://www.bleepingcomputer.com/tutorials/tutorial62.html

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Scan and clean your computer with Ewido and save the log file.

The following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\rapport.txt
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
alcocerpi
Suspended due to non-functional email address
_ 		3. May 2006 @ 05:45 _ Link to this message    Send private message to this user   
Are you asking me whether I installed a Desktop Scout(keylogger and screenshot software) to my computer? Or telling me that I need to install one. if which one do i need to install?

Thanks
[ + quote]
JaPK
Senior Member
_ 		3. May 2006 @ 05:59 _ Link to this message    Send private message to this user   
I mean that have you installed that on purpose, or has it been installed by someone else? (If you haven't installed it, we'll remove it because the one who installed it is monitoring your pc)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
alcocerpi
Suspended due to non-functional email address
_ 		3. May 2006 @ 06:02 _ Link to this message    Send private message to this user   
I don't recall installing one so I would appreciate your help in removing it. I just ran smitfraudfix and deleted the infected files and registry entries. I'm currently running the scan for Ewido. I'll post as soon as I'm done.

What software do you recommend actually buying after the free trails are over?

Thanks again
[ + quote]
JaPK
Senior Member
_ 		3. May 2006 @ 06:48 _ Link to this message    Send private message to this user   
Ok, it shoud be removed then.

Open Notepad
-> copy the following lines into a new document:

@echo off
sc stop dtsagntsvc
sc delete dtsagntsvc

Save the document to your desktop as Removal.bat and filetype: All Files
Go to your desktop and run the file Removal.bat and answer yes to any questions.

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safe mode.

Delete this folder:
C:\Program Files\RDS

Restart your computer normally.

Post a new HijackThis log and that Ewido log when you're ready.

You should also change all your online passwords (banking, shopping)

What trial software do you mean ?
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
alcocerpi
Suspended due to non-functional email address
_ 		3. May 2006 @ 18:40 _ Link to this message    Send private message to this user   
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:27:06 PM, 5/3/2006
+ Report-Checksum: 34101016

+ Scan result:

HKLM\SOFTWARE\GlobalPatrol -> Adware.DesktopScout : Cleaned with backup
HKLM\SOFTWARE\GlobalPatrol\Desktop Scout 3 -> Adware.DesktopScout : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\Schedule Options -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\Settings -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\Toolbars state -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\Toolbars state\-Summary -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGCommandManager -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGControlBarVersion -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGKeyboard-0 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-1 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-157 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-158 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-159 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-220 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-277 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-59392 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-59393 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-593980 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-5939881 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-1 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-157 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-158 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-159 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-220 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-277 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-59392 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-59393 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-593980 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-5939881 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPDockManager-128 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPTasksPane-159 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-1 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-220 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-277 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-59392 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-593980 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-5939881 -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolbarParameters -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\ControlBars-Summary -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\WindowPlacement -> Adware.ActivityMonitor : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol -> Adware.DesktopScout : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol\Desktop Scout 3 -> Adware.DesktopScout : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol\Desktop Scout 3\Agents -> Adware.DesktopScout : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol\Desktop Scout 3\Agents\0000 -> Adware.DesktopScout : Cleaned with backup
HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol\Remote Desktop Spy 3 -> Adware.DesktopScout : Cleaned with backup
C:\Documents and Settings\Pete\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-7e4442f4-65861d66.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\Pete\Cookies\pete@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Pete\Local Settings\Temp\Cookies\pete@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Pete\Local Settings\Temp\Cookies\pete@extraspace.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Pete\Local Settings\Temp\Cookies\pete@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Pete\Local Settings\Temp\Temporary Internet Files\Content.IE5\YFQ36ZG3\installer_VENDARE[1].cab/installer_VENDARE.exe -> Downloader.Adload.a : Cleaned with backup
C:\Documents and Settings\Pete\My Documents\Applications\Games\Risk II\RiskIISetup-dm.exe -> Adware.Trymedia : Cleaned with backup
C:\Documents and Settings\Pete\Shared\Sony ACID Pro 6.0 Build 214 (2006 Final).exe -> Dropper.VB.lu : Cleaned with backup
C:\Program Files\RDS\dtsview.exe -> Not-A-Virus.Monitor.Win32.DeskScout.30 : Cleaned with backup
C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup


::Report End

--------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:29:32 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
C:\Program Files\FSI\F-Prot\F-StopW.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O23 - Service: Windows Desktop Security (dtsagntsvc) - Unknown owner - C:\Program Files\RDS\svcagnt.exe" /svc (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleCSService - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracleDB10g\product\10.1.0\db_1\bin\nmesrvc.exe
O23 - Service: OracleIdenASControl - Oracle Corporation - D:\oracle\iden\bin\nmesrvc.exe
O23 - Service: OracleIdenClientCache - Unknown owner - D:\oracle\iden\BIN\ONRSD.EXE
O23 - Service: OracleIdenProcessManager - Unknown owner - D:\oracle\iden\opmn\bin\opmn.exe
O23 - Service: OracleinfraASControl - Oracle Corporation - d:\oracle\infr\bin\nmesrvc.exe
O23 - Service: OracleinfraClientCache - Unknown owner - d:\oracle\infr\BIN\ONRSD.EXE
O23 - Service: OracleinfraProcessManager - Unknown owner - d:\oracle\infr\opmn\bin\opmn.exe
O23 - Service: OracleinfraTNSListener - Unknown owner - d:\oracle\infr\BIN\TNSLSNR.exe
O23 - Service: Oraclemidtier1ASControl - Oracle Corporation - C:\oracle\midtier1\bin\nmesrvc.exe
O23 - Service: Oraclemidtier1ClientCache - Unknown owner - C:\oracle\midtier1\BIN\ONRSD.EXE
O23 - Service: Oraclemidtier1ProcessManager - Unknown owner - C:\oracle\midtier1\opmn\bin\opmn.exe
O23 - Service: Oraclemidtier2ASControl - Oracle Corporation - C:\oracle\midtier2\bin\nmesrvc.exe
O23 - Service: Oraclemidtier2ProcessManager - Unknown owner - C:\oracle\midtier2\opmn\bin\opmn.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraClient\bin\omtsreco.exe
O23 - Service: OracleoraClientClientCache - Unknown owner - D:\oraClient\BIN\ONRSD.EXE
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracleDB10g\product\10.1.0\db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceASDB - Oracle Corporation - d:\oracle\infr\bin\ORACLE.EXE
O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracledb10g\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

--------------------------------------------------------------

SmitFraudFix v2.38

Scan done at 9:52:56.06, Wed 05/03/2006
Run from C:\Documents and Settings\Pete\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\twain32.dll Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\Pete\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End
[ + quote]
JaPK
Senior Member
_ 		4. May 2006 @ 03:31 _ Link to this message    Send private message to this user   
Ok, looking quite good...

Open Notepad
-> copy the following lines into a new document:

@echo off
sc stop dtsagntsvc
sc delete dtsagntsvc

Save the document to your desktop as Removal.bat and filetype: All Files
Go to your desktop and run the file Removal.bat and answer yes to any questions.

Make your hidden files visible and delete the following folders if found:

C:\Documents and Settings\Pete\My Documents\Applications\Games\Risk II
C:\Program Files\RDS
C:\Program Files\winupdates
C:\WINDOWS\Downloaded Program Files\CONFLICT.1

Post a new HijackThis log.

And I'll suggest that you change all your passwords because you had those keyloggers on your computer. (Someone has been monitoring your pc usage)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 4. May 2006 @ 03:32
alcocerpi
Suspended due to non-functional email address
_ 		4. May 2006 @ 05:11 _ Link to this message    Send private message to this user   
I couldn't find or see "C:\WINDOWS\Downloaded Program Files\CONFLICT.1"

Also when I tried to run the removal.bat. I got this error,

"[SC] OpenService FAILED 1060

The specified service does not exist as an installed service"

Here is the latest HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 9:07:47 AM, on 5/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleCSService - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracleDB10g\product\10.1.0\db_1\bin\nmesrvc.exe
O23 - Service: OracleIdenASControl - Oracle Corporation - D:\oracle\iden\bin\nmesrvc.exe
O23 - Service: OracleIdenClientCache - Unknown owner - D:\oracle\iden\BIN\ONRSD.EXE
O23 - Service: OracleIdenProcessManager - Unknown owner - D:\oracle\iden\opmn\bin\opmn.exe
O23 - Service: OracleinfraASControl - Oracle Corporation - d:\oracle\infr\bin\nmesrvc.exe
O23 - Service: OracleinfraClientCache - Unknown owner - d:\oracle\infr\BIN\ONRSD.EXE
O23 - Service: OracleinfraProcessManager - Unknown owner - d:\oracle\infr\opmn\bin\opmn.exe
O23 - Service: OracleinfraTNSListener - Unknown owner - d:\oracle\infr\BIN\TNSLSNR.exe
O23 - Service: Oraclemidtier1ASControl - Oracle Corporation - C:\oracle\midtier1\bin\nmesrvc.exe
O23 - Service: Oraclemidtier1ClientCache - Unknown owner - C:\oracle\midtier1\BIN\ONRSD.EXE
O23 - Service: Oraclemidtier1ProcessManager - Unknown owner - C:\oracle\midtier1\opmn\bin\opmn.exe
O23 - Service: Oraclemidtier2ASControl - Oracle Corporation - C:\oracle\midtier2\bin\nmesrvc.exe
O23 - Service: Oraclemidtier2ProcessManager - Unknown owner - C:\oracle\midtier2\opmn\bin\opmn.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraClient\bin\omtsreco.exe
O23 - Service: OracleoraClientClientCache - Unknown owner - D:\oraClient\BIN\ONRSD.EXE
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracleDB10g\product\10.1.0\db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceASDB - Oracle Corporation - d:\oracle\infr\bin\ORACLE.EXE
O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracledb10g\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
[ + quote]
JaPK
Senior Member
_ 		4. May 2006 @ 09:30 _ Link to this message    Send private message to this user   
Hi alcocerpi, you're clean now =)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
alcocerpi
Suspended due to non-functional email address
_ 		4. May 2006 @ 09:32 _ Link to this message    Send private message to this user   
awesome thanks ! now just gotta clean my gf's computer. i'm leaving mine off the network until hers is done.
[ + quote]
Advertisement
_ 		__
 
_
JaPK
Senior Member
_ 		4. May 2006 @ 09:46 _ Link to this message    Send private message to this user   
You're welcome :)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help here is my log
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2024 by AfterDawn Ltd.

  IDG TechNetwork