1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help Here is my log

Discussion in 'Windows - Virus and spyware problems' started by alcocerpi, May 2, 2006.

  1. alcocerpi

    alcocerpi Guest

    I'm getting the same http://www.theguardservices.com/ and blinking lights at the bottom right. Here is my log.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:50:25 PM, on 5/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\atmclk.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\SM1BG.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\swserv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\RDS\svcagnt.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dcomcfg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Pete\My Documents\Get Rid of Virus\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts:
    O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpC8F0.tmp
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinStartup] C:\WINDOWS\swserv.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O23 - Service: Windows Desktop Security (dtsagntsvc) - Unknown owner - C:\Program Files\RDS\svcagnt.exe" /svc (file missing)
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OracleCSService - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\bin\ocssd.exe
    O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracleDB10g\product\10.1.0\db_1\bin\nmesrvc.exe
    O23 - Service: OracleIdenASControl - Oracle Corporation - D:\oracle\iden\bin\nmesrvc.exe
    O23 - Service: OracleIdenClientCache - Unknown owner - D:\oracle\iden\BIN\ONRSD.EXE
    O23 - Service: OracleIdenProcessManager - Unknown owner - D:\oracle\iden\opmn\bin\opmn.exe
    O23 - Service: OracleinfraASControl - Oracle Corporation - d:\oracle\infr\bin\nmesrvc.exe
    O23 - Service: OracleinfraClientCache - Unknown owner - d:\oracle\infr\BIN\ONRSD.EXE
    O23 - Service: OracleinfraProcessManager - Unknown owner - d:\oracle\infr\opmn\bin\opmn.exe
    O23 - Service: OracleinfraTNSListener - Unknown owner - d:\oracle\infr\BIN\TNSLSNR.exe
    O23 - Service: Oraclemidtier1ASControl - Oracle Corporation - C:\oracle\midtier1\bin\nmesrvc.exe
    O23 - Service: Oraclemidtier1ClientCache - Unknown owner - C:\oracle\midtier1\BIN\ONRSD.EXE
    O23 - Service: Oraclemidtier1ProcessManager - Unknown owner - C:\oracle\midtier1\opmn\bin\opmn.exe
    O23 - Service: Oraclemidtier2ASControl - Oracle Corporation - C:\oracle\midtier2\bin\nmesrvc.exe
    O23 - Service: Oraclemidtier2ProcessManager - Unknown owner - C:\oracle\midtier2\opmn\bin\opmn.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraClient\bin\omtsreco.exe
    O23 - Service: OracleoraClientClientCache - Unknown owner - D:\oraClient\BIN\ONRSD.EXE
    O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracleDB10g\product\10.1.0\db_1\bin\isqlplussvc.exe
    O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\ENCSVC.EXE
    O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\AGNTSVC.EXE
    O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceASDB - Oracle Corporation - d:\oracle\infr\bin\ORACLE.EXE
    O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracledb10g\product\10.1.0\db_1\bin\ORACLE.EXE
     
  2. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi alcocerpi.

    You don't have a firewall on your computer. Download and install one firewall.

    These are good (free) firewalls:
    ZoneAlarm --> http://www.zonelabs.com
    Kerio--> http://www.sunbelt-software.com/Kerio.cfm
    Outpost-> http://www.agnitum.com

    Ok, you got some infections....

    Have you installed this Desktop Scout keylogger and screenshot software?

    Cleaning instructions:

    Move HijackThis into its own folder C:\HJT

    Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download/
    We'll use this later.

    Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Post the contents of this textfile to here.

    (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

    Fix the following entries with HijackThis (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/...
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/...
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/...
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts:
    O4 - HKLM\..\Run: [WinStartup] C:\WINDOWS\swserv.exe


    Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Delete this file (if found):
    C:\WINDOWS\swserv.exe

    Empty the Recycle Bin

    Restart your computer normally.

    Post a fresh HijackThis log and the contents of SmitfraudFix log to here and we'll continue.
     
  3. alcocerpi

    alcocerpi Guest

    Hello and thanks,

    Here is the contents of smitfraud with the latest hijackthis below it.
    I deleted swserv.exe

    SmitFraudFix v2.38

    Scan done at 8:35:07.81, Wed 05/03/2006
    Run from C:\Documents and Settings\Pete\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\atmclk.exe FOUND !
    C:\WINDOWS\system32\dcomcfg.exe FOUND !
    C:\WINDOWS\system32\hp????.tmp FOUND !
    C:\WINDOWS\system32\ld????.tmp FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\simpole.tlb FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\twain32.dll FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pete\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Pete\FAVORI~1

    C:\DOCUME~1\Pete\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

    [HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\system32\twain32.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\system32\twain32.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    ----------------------------------------------------------------

    HiJackthis


    Logfile of HijackThis v1.99.1
    Scan saved at 8:49:02 AM, on 5/3/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\atmclk.exe
    C:\WINDOWS\system32\dcomcfg.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\SM1BG.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\RDS\svcagnt.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp66F7.tmp
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:eek:s_startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
    O23 - Service: Windows Desktop Security (dtsagntsvc) - Unknown owner - C:\Program Files\RDS\svcagnt.exe" /svc (file missing)
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OracleCSService - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\bin\ocssd.exe
    O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracleDB10g\product\10.1.0\db_1\bin\nmesrvc.exe
    O23 - Service: OracleIdenASControl - Oracle Corporation - D:\oracle\iden\bin\nmesrvc.exe
    O23 - Service: OracleIdenClientCache - Unknown owner - D:\oracle\iden\BIN\ONRSD.EXE
    O23 - Service: OracleIdenProcessManager - Unknown owner - D:\oracle\iden\opmn\bin\opmn.exe
    O23 - Service: OracleinfraASControl - Oracle Corporation - d:\oracle\infr\bin\nmesrvc.exe
    O23 - Service: OracleinfraClientCache - Unknown owner - d:\oracle\infr\BIN\ONRSD.EXE
    O23 - Service: OracleinfraProcessManager - Unknown owner - d:\oracle\infr\opmn\bin\opmn.exe
    O23 - Service: OracleinfraTNSListener - Unknown owner - d:\oracle\infr\BIN\TNSLSNR.exe
    O23 - Service: Oraclemidtier1ASControl - Oracle Corporation - C:\oracle\midtier1\bin\nmesrvc.exe
    O23 - Service: Oraclemidtier1ClientCache - Unknown owner - C:\oracle\midtier1\BIN\ONRSD.EXE
    O23 - Service: Oraclemidtier1ProcessManager - Unknown owner - C:\oracle\midtier1\opmn\bin\opmn.exe
    O23 - Service: Oraclemidtier2ASControl - Oracle Corporation - C:\oracle\midtier2\bin\nmesrvc.exe
    O23 - Service: Oraclemidtier2ProcessManager - Unknown owner - C:\oracle\midtier2\opmn\bin\opmn.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraClient\bin\omtsreco.exe
    O23 - Service: OracleoraClientClientCache - Unknown owner - D:\oraClient\BIN\ONRSD.EXE
    O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracleDB10g\product\10.1.0\db_1\bin\isqlplussvc.exe
    O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\ENCSVC.EXE
    O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\AGNTSVC.EXE
    O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceASDB - Oracle Corporation - d:\oracle\infr\bin\ORACLE.EXE
    O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracledb10g\product\10.1.0\db_1\bin\ORACLE.EXE
    O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe


     
  4. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi alcocerpi. Have you installed this Desktop Scout to your computer (keylogger and screenshot software) ?

    Cleaning Instructions:

    Restart your computer to the safemode and choose your normal user account -> http://www.bleepingcomputer.com/tutorials/tutorial62.html

    When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
    Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

    You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

    The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

    The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
    A textfile will appear after the cleaning process, copy this file and paste it to here.
    Tha log is saved to your local diskdrive, usually C:\rapport.txt.

    Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

    Scan and clean your computer with Ewido and save the log file.

    The following logs to here:
    -> a fresh HijackThis log
    -> Ewido's log
    -> contents of C:\rapport.txt
     
  5. alcocerpi

    alcocerpi Guest

    Are you asking me whether I installed a Desktop Scout(keylogger and screenshot software) to my computer? Or telling me that I need to install one. if which one do i need to install?

    Thanks
     
  6. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    I mean that have you installed that on purpose, or has it been installed by someone else? (If you haven't installed it, we'll remove it because the one who installed it is monitoring your pc)
     
  7. alcocerpi

    alcocerpi Guest

    I don't recall installing one so I would appreciate your help in removing it. I just ran smitfraudfix and deleted the infected files and registry entries. I'm currently running the scan for Ewido. I'll post as soon as I'm done.

    What software do you recommend actually buying after the free trails are over?

    Thanks again
     
  8. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok, it shoud be removed then.

    Open Notepad
    -> copy the following lines into a new document:

    @echo off
    sc stop dtsagntsvc
    sc delete dtsagntsvc

    Save the document to your desktop as Removal.bat and filetype: All Files
    Go to your desktop and run the file Removal.bat and answer yes to any questions.

    Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
    Restart your computer to the safe mode.

    Delete this folder:
    C:\Program Files\RDS

    Restart your computer normally.

    Post a new HijackThis log and that Ewido log when you're ready.

    You should also change all your online passwords (banking, shopping)

    What trial software do you mean ?
     
  9. alcocerpi

    alcocerpi Guest

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 10:27:06 PM, 5/3/2006
    + Report-Checksum: 34101016

    + Scan result:

    HKLM\SOFTWARE\GlobalPatrol -> Adware.DesktopScout : Cleaned with backup
    HKLM\SOFTWARE\GlobalPatrol\Desktop Scout 3 -> Adware.DesktopScout : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\Schedule Options -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\Settings -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\Toolbars state -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\Toolbars state\-Summary -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGCommandManager -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGControlBarVersion -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGKeyboard-0 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-1 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-157 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-158 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-159 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-220 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-277 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-59392 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-59393 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-593980 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPBaseControlBar-5939881 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-1 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-157 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-158 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-159 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-220 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-277 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-59392 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-59393 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-593980 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPControlBar-5939881 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPDockManager-128 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGPTasksPane-159 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-1 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-220 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-277 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-59392 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-593980 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolBar-5939881 -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\BCGToolbarParameters -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\ControlBars-Summary -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\Deep Software\Activity Monitor\UISettings37\WindowPlacement -> Adware.ActivityMonitor : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol -> Adware.DesktopScout : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol\Desktop Scout 3 -> Adware.DesktopScout : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol\Desktop Scout 3\Agents -> Adware.DesktopScout : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol\Desktop Scout 3\Agents\0000 -> Adware.DesktopScout : Cleaned with backup
    HKU\S-1-5-21-842925246-1637723038-682003330-1004\Software\GlobalPatrol\Remote Desktop Spy 3 -> Adware.DesktopScout : Cleaned with backup
    C:\Documents and Settings\Pete\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-7e4442f4-65861d66.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
    C:\Documents and Settings\Pete\Cookies\pete@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Pete\Local Settings\Temp\Cookies\pete@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Pete\Local Settings\Temp\Cookies\pete@extraspace.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Pete\Local Settings\Temp\Cookies\pete@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Pete\Local Settings\Temp\Temporary Internet Files\Content.IE5\YFQ36ZG3\installer_VENDARE[1].cab/installer_VENDARE.exe -> Downloader.Adload.a : Cleaned with backup
    C:\Documents and Settings\Pete\My Documents\Applications\Games\Risk II\RiskIISetup-dm.exe -> Adware.Trymedia : Cleaned with backup
    C:\Documents and Settings\Pete\Shared\Sony ACID Pro 6.0 Build 214 (2006 Final).exe -> Dropper.VB.lu : Cleaned with backup
    C:\Program Files\RDS\dtsview.exe -> Not-A-Virus.Monitor.Win32.DeskScout.30 : Cleaned with backup
    C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup


    ::Report End

    --------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 10:29:32 PM, on 5/3/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\SM1BG.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\Program Files\ewido anti-malware\SecuritySuite.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HJT\HijackThis.exe
    C:\Program Files\FSI\F-Prot\F-StopW.exe

    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:eek:s_startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
    O23 - Service: Windows Desktop Security (dtsagntsvc) - Unknown owner - C:\Program Files\RDS\svcagnt.exe" /svc (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OracleCSService - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\bin\ocssd.exe
    O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracleDB10g\product\10.1.0\db_1\bin\nmesrvc.exe
    O23 - Service: OracleIdenASControl - Oracle Corporation - D:\oracle\iden\bin\nmesrvc.exe
    O23 - Service: OracleIdenClientCache - Unknown owner - D:\oracle\iden\BIN\ONRSD.EXE
    O23 - Service: OracleIdenProcessManager - Unknown owner - D:\oracle\iden\opmn\bin\opmn.exe
    O23 - Service: OracleinfraASControl - Oracle Corporation - d:\oracle\infr\bin\nmesrvc.exe
    O23 - Service: OracleinfraClientCache - Unknown owner - d:\oracle\infr\BIN\ONRSD.EXE
    O23 - Service: OracleinfraProcessManager - Unknown owner - d:\oracle\infr\opmn\bin\opmn.exe
    O23 - Service: OracleinfraTNSListener - Unknown owner - d:\oracle\infr\BIN\TNSLSNR.exe
    O23 - Service: Oraclemidtier1ASControl - Oracle Corporation - C:\oracle\midtier1\bin\nmesrvc.exe
    O23 - Service: Oraclemidtier1ClientCache - Unknown owner - C:\oracle\midtier1\BIN\ONRSD.EXE
    O23 - Service: Oraclemidtier1ProcessManager - Unknown owner - C:\oracle\midtier1\opmn\bin\opmn.exe
    O23 - Service: Oraclemidtier2ASControl - Oracle Corporation - C:\oracle\midtier2\bin\nmesrvc.exe
    O23 - Service: Oraclemidtier2ProcessManager - Unknown owner - C:\oracle\midtier2\opmn\bin\opmn.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraClient\bin\omtsreco.exe
    O23 - Service: OracleoraClientClientCache - Unknown owner - D:\oraClient\BIN\ONRSD.EXE
    O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracleDB10g\product\10.1.0\db_1\bin\isqlplussvc.exe
    O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\ENCSVC.EXE
    O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\AGNTSVC.EXE
    O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceASDB - Oracle Corporation - d:\oracle\infr\bin\ORACLE.EXE
    O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracledb10g\product\10.1.0\db_1\bin\ORACLE.EXE
    O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

    --------------------------------------------------------------

    SmitFraudFix v2.38

    Scan done at 9:52:56.06, Wed 05/03/2006
    Run from C:\Documents and Settings\Pete\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\atmclk.exe Deleted
    C:\WINDOWS\system32\dcomcfg.exe Deleted
    C:\WINDOWS\system32\hp????.tmp Deleted
    C:\WINDOWS\system32\ld????.tmp Deleted
    C:\WINDOWS\system32\ot.ico Deleted
    C:\WINDOWS\system32\simpole.tlb Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\WINDOWS\system32\twain32.dll Deleted
    C:\WINDOWS\system32\1024\ Deleted
    C:\DOCUME~1\Pete\FAVORI~1\Antivirus Test Online.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» End

     
  10. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok, looking quite good...

    Open Notepad
    -> copy the following lines into a new document:

    @echo off
    sc stop dtsagntsvc
    sc delete dtsagntsvc

    Save the document to your desktop as Removal.bat and filetype: All Files
    Go to your desktop and run the file Removal.bat and answer yes to any questions.

    Make your hidden files visible and delete the following folders if found:

    C:\Documents and Settings\Pete\My Documents\Applications\Games\Risk II
    C:\Program Files\RDS
    C:\Program Files\winupdates
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1

    Post a new HijackThis log.

    And I'll suggest that you change all your passwords because you had those keyloggers on your computer. (Someone has been monitoring your pc usage)
     
    Last edited: May 4, 2006
  11. alcocerpi

    alcocerpi Guest

    I couldn't find or see "C:\WINDOWS\Downloaded Program Files\CONFLICT.1"

    Also when I tried to run the removal.bat. I got this error,

    "[SC] OpenService FAILED 1060

    The specified service does not exist as an installed service"

    Here is the latest HijackThis log

    Logfile of HijackThis v1.99.1
    Scan saved at 9:07:47 AM, on 5/4/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\SM1BG.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:eek:s_startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OracleCSService - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\bin\ocssd.exe
    O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracleDB10g\product\10.1.0\db_1\bin\nmesrvc.exe
    O23 - Service: OracleIdenASControl - Oracle Corporation - D:\oracle\iden\bin\nmesrvc.exe
    O23 - Service: OracleIdenClientCache - Unknown owner - D:\oracle\iden\BIN\ONRSD.EXE
    O23 - Service: OracleIdenProcessManager - Unknown owner - D:\oracle\iden\opmn\bin\opmn.exe
    O23 - Service: OracleinfraASControl - Oracle Corporation - d:\oracle\infr\bin\nmesrvc.exe
    O23 - Service: OracleinfraClientCache - Unknown owner - d:\oracle\infr\BIN\ONRSD.EXE
    O23 - Service: OracleinfraProcessManager - Unknown owner - d:\oracle\infr\opmn\bin\opmn.exe
    O23 - Service: OracleinfraTNSListener - Unknown owner - d:\oracle\infr\BIN\TNSLSNR.exe
    O23 - Service: Oraclemidtier1ASControl - Oracle Corporation - C:\oracle\midtier1\bin\nmesrvc.exe
    O23 - Service: Oraclemidtier1ClientCache - Unknown owner - C:\oracle\midtier1\BIN\ONRSD.EXE
    O23 - Service: Oraclemidtier1ProcessManager - Unknown owner - C:\oracle\midtier1\opmn\bin\opmn.exe
    O23 - Service: Oraclemidtier2ASControl - Oracle Corporation - C:\oracle\midtier2\bin\nmesrvc.exe
    O23 - Service: Oraclemidtier2ProcessManager - Unknown owner - C:\oracle\midtier2\opmn\bin\opmn.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraClient\bin\omtsreco.exe
    O23 - Service: OracleoraClientClientCache - Unknown owner - D:\oraClient\BIN\ONRSD.EXE
    O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracleDB10g\product\10.1.0\db_1\bin\isqlplussvc.exe
    O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\ENCSVC.EXE
    O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\AGNTSVC.EXE
    O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - D:\oracleDB10g\product\10.1.0\db_1\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceASDB - Oracle Corporation - d:\oracle\infr\bin\ORACLE.EXE
    O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracledb10g\product\10.1.0\db_1\bin\ORACLE.EXE
    O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

     
  12. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi alcocerpi, you're clean now =)
     
  13. alcocerpi

    alcocerpi Guest

    awesome thanks ! now just gotta clean my gf's computer. i'm leaving mine off the network until hers is done.
     
  14. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    You're welcome :)
     

Share This Page