Hi
Two days before while surfing the internet, suddenly a Pes Trap software dislodged itself inmy trayicon and then started scanning everything. I found it, exited frm there and removed the program from the control panel. Then went to the CCleaner and analyzed and cleaned everything. Byt hen my Symantec antivirus ,was screaming---computer is infected and use antispyware tools with a "red sphere with a cross on it" icon.
I ran the anti virus and found winstall.exe tried to quarantine or delete couldnt....
I ran the adaware and whatever I found I have attached below and it is quarantined on my computer right now.
ArchiveData(auto-quarantine- 2006-07-23 21-28-44.bckp)
Referencefile : SE1R115 18.07.2006
======================================================
MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\06 14 06 dsh2 RF 700MHz 0.5Wkg nocodazole hunb.LNK
obj[1]=MRU FileReference : C:\Documents and Settings\Vidya\recent\Desktop.ini
obj[2]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\06 29 06 dsh1 Sham w-conotoxin 2uM.LNK
obj[3]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[4]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\mediaplayer\medialibraryui mllastselectednode
obj[5]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\mediaplayer\player\settings opendir
obj[6]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\mediaplayer\preferences lastplaylistindex
obj[7]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\mediaplayer\preferences lastplaylist
obj[8]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\clip organizer\search\last query
obj[9]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\common\general symbolmru
obj[10]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\save as\file name mru value
obj[11]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru value
obj[12]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru value
obj[13]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\excel\recent files
obj[14]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\powerpoint\recent file list
obj[15]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\powerpoint\recent templates
obj[16]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\powerpoint\recent typeface list
obj[17]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\powerpoint\recentfolderlist
obj[18]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\office\10.0\powerpoint\recenttemplatelist
obj[19]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\windows\currentversion\applets\regedit lastkey
obj[20]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\windows\currentversion\explorer\runmru
obj[21]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\HUNB cells.LNK
obj[22]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\Igor pre-ONR 2003.LNK
obj[23]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\index.dat
obj[24]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\JIF-Radiation.LNK
obj[25]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\KTW37T6A.LNK
obj[26]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\Lab Presentation For BPS.LNK
obj[27]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\Library.LNK
obj[28]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\MERS Southeast Legal Seminar (11[1].10.04) final.LNK
obj[29]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\MSD.LNK
obj[30]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\My Documents.LNK
obj[31]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\Normal.LNK
obj[32]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\NOtes of P19 work in 2006.LNK
obj[33]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\Notes on HUNB RF Vial 5 work 2006.LNK
obj[34]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\Notes on HUNB RF WORK Vial 5 work 2006.LNK
obj[35]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\NOtes_on_RF_data_from_2005_vials3_4_5.LNK
obj[36]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\OXIJKTMV.LNK
obj[37]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\P19 and HUNB RF Label and Cascades.LNK
obj[38]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\P19 cells.LNK
obj[39]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\P19 pathways.LNK
obj[40]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\LastLoginTime
obj[41]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\Possible interests.LNK
obj[42]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\Presentation1.LNK
obj[43]=MRU FileReference : C:\Documents and Settings\Vidya\Application Data\microsoft\office\recent\Presentation3.LNK
obj[44]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentClips1
obj[45]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentClips2
obj[46]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentClips3
obj[47]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentClips4
obj[48]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentClips5
obj[49]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentClips6
obj[50]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentClips7
obj[51]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentClips8
obj[52]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentSkins2
obj[53]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentSkins3
obj[54]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\realnetworks\realplayer\6.0\preferences\MostRecentSkins4
obj[74]=MRU RegReference : .DEFAULT\software\microsoft\windows media\wmsdk\general computername
obj[75]=MRU RegReference : S-1-5-18\software\microsoft\windows media\wmsdk\general computername
obj[76]=MRU RegReference : S-1-5-21-2996401450-3968480119-282924165-1006\software\microsoft\windows media\wmsdk\general computername
SPYWARENO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
[b]obj[26]=Process : C:\winstall.exe
obj[29]=RegKey : software\sno2
obj[30]=RegValue : software\microsoft\windows\currentversion\policies\system "Wallpaper"
obj[31]=RegValue : software\microsoft\internet explorer\desktop\general "WallpaperFileTime"
obj[32]=RegData : software\microsoft\internet explorer\desktop\general "WallpaperStyle"
obj[33]=RegData : control panel\desktop "WallpaperStyle"
obj[34]=RegData : software\microsoft\windows\currentversion\policies\explorer "ClassicShell"
obj[35]=RegData : software\microsoft\windows\currentversion\policies\explorer "ForceActiveDesktopOn"
obj[36]=RegData : software\microsoft\windows\currentversion\policies\explorer "NoActiveDesktop"
obj[37]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoAddingComponents"
obj[38]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoChangingWallpaper"
obj[39]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoComponents"
obj[40]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoEditingComponents"
obj[41]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoHTMLWallPaper"
obj[42]=RegData : software\microsoft\internet explorer\desktop\general "ComponentsPositioned"
obj[43]=Folder : C:\Program Files\PestTrap
obj[44]=File : C:\nj.exe
obj[45]=File : C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP83\A0012349.exe
obj[46]=File : C:\Documents and Settings\Vidya\Application Data\Install.dat
TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[27]=IECache Entry : Cookie:vidya@atdmt.com/
obj[28]=IECache Entry : Cookie:vidya@2o7.net/
OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[47]=File : C:\WINDOWS\prefetch\NJ.EXE-292BD401.pf
The line on the winstall.exe and the nj.exe had turned up two days before I ran the adaware and ran the anti virus scan on two separate locations.
Then i backed up everything and tried to run the system restore to a previous system point, it said the restoratiion was incomplete and I tried with different system points with the same result..
So, I went to my school system supports, they started the computer in safe mode and ran the spybot and cleaned the active desktop which came up and then they ran the antivirus scann again, I got two files upn there which said they dont exist on search. SO they said my computer is safe.
BUt now after two days, I ran the Adaware again and found hte following:
ArchiveData(spyware.bckp)
Referencefile : SE1R115 18.07.2006
======================================================
SPYWARENO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=File : C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP83\A0012407.exe
obj[1]=RegValue : software\microsoft\internet explorer\desktop\general "WallpaperLocalFileTime"
obj[2]=RegData : software\microsoft\internet explorer\desktop\general "WallpaperStyle"
obj[3]=RegData : control panel\desktop "WallpaperStyle"
obj[4]=RegData : software\microsoft\windows\currentversion\policies\explorer "ClassicShell"
obj[5]=RegData : software\microsoft\windows\currentversion\policies\explorer "NoActiveDesktop"
obj[6]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoAddingComponents"
obj[7]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoChangingWallpaper"
obj[8]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoComponents"
obj[9]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoEditingComponents"
The first system volume information file turned up on the anti virus scan too but cannot find it anywhere in the system.
I looked up other stuff on google and found that my desktop might have frozen and other things will follow. SO I tried changing it, I can now change the color but cannot upload a desktop background in terms of a picture. Also I cannot a system restore in normal or safe mode.
I ran the panda scan software, it found some malicious cookies, I deleted those, but that didnt help.What do I do? PLease help thanks!
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
sbrao,
It would be helpful if you also post a hjt log for the malware experts to take a look at.
For the download link and instructions, please click on the following link.
http://www.lavasoftsupport.com/index.php?showtopic=216
You mentioned that you scanned with Ad-Aware but I wanted to make sure it was with the latest version.
It would be helpful if you also post a hjt log for the malware experts to take a look at.
For the download link and instructions, please click on the following link.
http://www.lavasoftsupport.com/index.php?showtopic=216
You mentioned that you scanned with Ad-Aware but I wanted to make sure it was with the latest version.
QUOTE
Before posting a "HijackThis" Log, you must run a scan with the latest version of Ad-Aware (build 1.06r), and ensure that you have the latest definition file by performing a webupdate once Ad-Aware is loaded.
If you do not follow these steps before posting your log, be aware that you will be instructed to do this anyway.
HijackThis logs are easier to work with, when Ad-Aware has cleaned up files that are alread in detection; and indeed, it is best not to go through manual removal steps, if the up-to-date Ad-Aware can do it automatically.
If you do not follow these steps before posting your log, be aware that you will be instructed to do this anyway.
HijackThis logs are easier to work with, when Ad-Aware has cleaned up files that are alread in detection; and indeed, it is best not to go through manual removal steps, if the up-to-date Ad-Aware can do it automatically.
Hi
THanks for the help.
I did download the latest and sent in the scan report. But just to be sure again, I downloaded it again and then scanned it again. I also downloaded the HiJack This and I have attached the spyware backup report of adaware below the Hijack this report.
Please let me know, thanks again.
Logfile of HijackThis v1.99.1
Scan saved at 4:54:39 PM, on 7/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijack this\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\MediaExe\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [OSCD_Creator] c:\Dell\MediaExe\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
Adaware report:
TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=IECache Entry : Cookie:vidya@questionmarket.com/
obj[4]=IECache Entry : Cookie:vidya@2o7.net/
obj[5]=IECache Entry : Cookie:vidya@statcounter.com/
SPYWARENO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[6]=File : C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP83\A0012407.exe
obj[7]=RegValue : software\microsoft\internet explorer\desktop\general "WallpaperLocalFileTime"
obj[8]=RegData : software\microsoft\internet explorer\desktop\general "WallpaperStyle"
obj[9]=RegData : control panel\desktop "WallpaperStyle"
obj[10]=RegData : software\microsoft\windows\currentversion\policies\explorer "ClassicShell"
obj[11]=RegData : software\microsoft\windows\currentversion\policies\explorer "NoActiveDesktop"
obj[12]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoAddingComponents"
obj[13]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoChangingWallpaper"
obj[14]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoComponents"
obj[15]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoEditingComponents"
THanks for the help.
I did download the latest and sent in the scan report. But just to be sure again, I downloaded it again and then scanned it again. I also downloaded the HiJack This and I have attached the spyware backup report of adaware below the Hijack this report.
Please let me know, thanks again.
Logfile of HijackThis v1.99.1
Scan saved at 4:54:39 PM, on 7/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijack this\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\MediaExe\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [OSCD_Creator] c:\Dell\MediaExe\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
Adaware report:
TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=IECache Entry : Cookie:vidya@questionmarket.com/
obj[4]=IECache Entry : Cookie:vidya@2o7.net/
obj[5]=IECache Entry : Cookie:vidya@statcounter.com/
SPYWARENO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[6]=File : C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP83\A0012407.exe
obj[7]=RegValue : software\microsoft\internet explorer\desktop\general "WallpaperLocalFileTime"
obj[8]=RegData : software\microsoft\internet explorer\desktop\general "WallpaperStyle"
obj[9]=RegData : control panel\desktop "WallpaperStyle"
obj[10]=RegData : software\microsoft\windows\currentversion\policies\explorer "ClassicShell"
obj[11]=RegData : software\microsoft\windows\currentversion\policies\explorer "NoActiveDesktop"
obj[12]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoAddingComponents"
obj[13]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoChangingWallpaper"
obj[14]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoComponents"
obj[15]=RegData : software\microsoft\windows\currentversion\policies\activedesktop "NoEditingComponents"
QUOTE(SkittlesPC @ Jul 25 2006, 10:19 PM) 
sbrao,
It would be helpful if you also post a hjt log for the malware experts to take a look at.
For the download link and instructions, please click on the following link.
http://www.lavasoftsupport.com/index.php?showtopic=216
You mentioned that you scanned with Ad-Aware but I wanted to make sure it was with the latest version.
It would be helpful if you also post a hjt log for the malware experts to take a look at.
For the download link and instructions, please click on the following link.
http://www.lavasoftsupport.com/index.php?showtopic=216
You mentioned that you scanned with Ad-Aware but I wanted to make sure it was with the latest version.
Apologies for the late reply, we are a bit backlogged here as you can probably see.
I'm now subscribed to this thread and if you reply back here, I'll get an automated notice of your response and get back to you very quickly now.
It sounds like you have a new variant of Smitfraud hijacker that Ad-Aware doesn't detect yet.
1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml
Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
2. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.
Logs needed in your next post are:
rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed
Fresh HijackThis log
I'm now subscribed to this thread and if you reply back here, I'll get an automated notice of your response and get back to you very quickly now.
It sounds like you have a new variant of Smitfraud hijacker that Ad-Aware doesn't detect yet.
1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml
Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
2. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.
Logs needed in your next post are:
rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed
Fresh HijackThis log
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.