Jump to content


Photo

SMARTSECURITY


  • Please log in to reply
12 replies to this topic

#1 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 15 June 2004 - 01:15 PM

greetings.

desktop background has been taken over by SMARTSECURITY.
http://www.smart-sec....info/main.html
hijacked desktop screen reads: "WARNING! You're In Danger!" etc.

i have been unsuccessful in attempts to remove infection via Ad-aware and Spybot-S&D.
at the time of infection, i was running AntiVir [http://www.free-av.com],
and, although it did not protect, it did provide the following information --
C:\WINDOWS\Hosts
The Trojan horse TR/StartPage.IG.1

additionally, Microsoft Internet Explorer Homepage has been hijacked to --
"C:\WINDOWS\secure.html"
and, computer has slowed considerably, showing 100% CPU Usage
while i am not even actively doing anything.

much kind thanks in advance for you help in this matter...
newsatten.




here is the HijackThis logfile --




Logfile of HijackThis v1.97.7
Scan saved at 12:54:58 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\mstasks2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RealUpdater.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Scott Zimmerman\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [KITCO] C:\Program Files\Kitco\Kcast\Kcast
O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Snls] C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe
O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)




one final comment --

after infection occurred, first time i ran HijackThis, i deleted files ending in --
"Start Page = C:\WINDOWS\secure.html"
and
"Main,Default_Page_URL = C:\WINDOWS\secure.html"
however these files had returned upon subsequent HijackThis scan.

again, BIG THANKS for your help here...
newsatten.

#2 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 15 June 2004 - 05:43 PM

TheTechGuide Forum - smartsecurity
http://www.thetechgu...showtopic=10600

one post notes that they [presumably SmartSecurity] say infection can be removed via --
"C:\desktop.exe /r"
though post then notes that this does not work.

another post notes
1. right-click on desktop [at the very top of monitor screen so as to circumvent the dead end effect of right-clicking directly on the SmartSecurity black desktop]
2. select "Properties" -- which brings up the "Display Properties" dialogue box
3. select "Desktop" tab
4. click "Customize Desktop..." button at lower left
5. select "Web" tab
6. uncheck the "Security" box located in the "Web pages:" field
SmartSecurity effectively takes its "Warning" Webpage and displays it on your desktop. [older versions of Microsoft Windows referred to this as "Active Desktop".] the six steps above remove this "Warning" Webpage from desktop.
this post concludes: "if anyone has anymore ideas, or questions, email freehlp@hawaii.com"

i myself ["newsatten"] highlighted/selected the "Security" item in the "Web pages:" field and deleted it via the "Delete" button at middle right.


however, Internet Explorer Homepage is still hijacked by "C:\WINDOWS\secure.html"
[if "Home" icon of IE is clicked on, adult site is brought up, even after just resetting "Homepage". i have attempted to clean out "Temporary Internet Files" folder several times though it continues to repopulate with unwanted items.

and, computer is running extremely slow -- CPU Usage is at 100% even without running any Applications. your attention to this would also be considerably appreciated.

again, kind thanks to your consideration here... very much thanks... i will definitely make donation to this website...
newsatten.

#3 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 15 June 2004 - 05:58 PM

You have a Coolwebsearch infection. Download and Run Cwshredder:
http://www.spywarein.../CWShredder.exe
When the program starts choose fix which is at the bottom right hand corner of the window. Let the shredder do its work.

Restart the computer and post a new log.
Rights are never important until you don't have them.

#4 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 16 June 2004 - 06:35 PM

greetings Archon Wing
and much thanks for your help thusfar...
this Coolwebsearch is some nasty stuff... amazing that its activity isnt illegal...?
HijackThis Logfile is at bottom following questions...

after running CWShredder per your instructions, computer was still running extremely slow...
i "determined" that is was "mstasks2.exe" slowing down system, using "99" CPU on "Processes" tab of "Windows Task Manager", so i selected "mstasks2.exe" and clicked "End Process" button...
i also deleted the
"O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u"
entry of HJT Logfile [and hopefully this was the correct thing to do]
though this item is still be listed below in HJT Logfile
[as i initially ran HJT scan and saved Logfile, then ran scan a second time and deleted it from this second scan... below is the first Logfile]
QUESTIONS:
1.) was this correct action to delete this line from HJT Logfile...?
2.) what does "mstasks2.exe" do that uses up so much CPU...?
3.) can this item still be lurking somewhere on computer...?

ADDITIONAL COMMENTS & QUESTIONS:
4.)
unwanted new search toolbar has been installed...
when i click "Go" button of this search toolbar,
"Status Bar" at bottom of window shows: "http://www.quickcrawler.com"
which then pulls up "http://search.startium.com"
[Startium - Blazing Speed. No Ads. Start here http://www.startium.com/index.php]
how do i get rid of this search toolbar permanently...?
[i checked "Add or Remove Programs" in "Control Panel" and did not find anything that i thought might be it...? however, i do notice "Lycos", "ClockSync" and "Power Scan" folders in "Program Files" folder that i do not believe were previously there... all of these folders show zero objects except for the "Lycos" folder which contains a "Sidesearch" folder that also shows zero objects... thoughts...?]
5.)
when i attempt to log in [user name & password] to a website that i have subscription to, i get an Internet Explorer error message that says:
"Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience."
"Error report:" includes --
Error signature:
AppName: iexplore.exe
AppVer: 6.0.2800.1106
ModName: unknown
ModVer: 0.0.0.0
Offset: 6d5a6d5a
when i click "Don't Sent" Error Report button, IE window just closes... any ideas...?
6.)
any opinion on Antivir [http://www.free-av.com/]...?
7.)
is it necessary to use "Safe" mode for any of this entire disinfecting process...?
ive been reading many other posts on Spywareinfo...
specifically, two posts addressed by PGPhantom mention using "Safe" mode --
-- Windows XP running VERY slow100% CPU usage (From SWI Forums)
-- http://www.spywarein...=ST&f=18&t=7198
-- and
-- CPU usage 100% anytime, wat's wrong??????? (From SWI Forums)
-- http://www.spywarein...=ST&f=18&t=6609
8.)
would using a Proxy Server have prevented from getting this Coolwebsearch infection...? any suggestions of one, or would you not recommend using such...?
any merit to program "Anonymizer" [http://www.anonymize.../index.cgi]...?
9.)
is it possible that due to this Coolwebsearch infection another source currently has access to my computer and can "lift" password information and such...?

THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU!!!!!
i WILL make donation via Paypal to both this site and to merijn, though first want to clarify my question # 9 above...
again, VERY KIND THANKS... this site is a blessing...
newsatten...





Logfile of HijackThis v1.97.7
Scan saved at 8:06:07 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\mstasks2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RealUpdater.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe
C:\Documents and Settings\Scott Zimmerman\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbclick.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbclick.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\STLBCL~1.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [KITCO] C:\Program Files\Kitco\Kcast\Kcast
O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Snls] C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)

#5 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 16 June 2004 - 06:59 PM

addendum to my previous message:

regarding the AppName of my comment/question # 5 --
did search for "iexplore"...

IEXPLORE [Application -- C:\Program Files\Internet Explorer]
iexplore [Compiled HTML Help file -- C:\WINDOWS\Help]
iexplore.chw [CHW File -- C:\WINDOWS\Help]
iexplore [Help File -- C:\WINDOWS\Help]
IEXPLORE.EXE-145A81D9.pf [PF File -- C:\WINDOWS\Prefetch]
IEXPLORE.EXE-27122324.pf [PF File -- C:\WINDOWS\Prefetch]

first PF File created two days ago at time of infection
second PF File created today an hour ago

?
thanks

#6 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 17 June 2004 - 07:35 PM

BUMP

#7 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 18 June 2004 - 03:30 PM

addendum to my previous two content messages:


several more "citings" per AntiVir [http://www.free-av.com/]:


C:\DOCUME~1\SCOTTZ~\LOCALS~1\TEMP\PS_INSTALL-MT.EXE
The Trojan horse TR/Scapur.A

C:\DOCUME~1\SCOTTZ~1\LOCALS~1\TEMP\PS_INSTALL-MT.EXE
The Trojan horse TR/Scapur.A

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B179B810-074F-4F76-B82B-07134571B4AE}\RP194\A0074617.EXE
The Trojan horse TR/Scapur.A


continuing much thanks...
newsatten.

#8 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2004 - 05:30 PM

BUMP

#9 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 22 June 2004 - 03:45 PM

BUMP

#10 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 22 June 2004 - 10:13 PM

You can select the following entries listed below in Hijack This. Then, close all other windows besides Hijack This and click fix checked


Note: If something goes wrong you can undo the changes done by Hijack This. Go to the bottom right hand corner of Hijack This and click on config. Then choose backups.There you can reverse any changes you made.

O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
-BrowserAid/FeaturedResults (MSIEFR40.DLL)

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbclick.dll

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbclick.dll

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\STLBCL~1.DLL,DllRunMain

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u

O4 - HKCU\..\Run: [Snls] C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe


Unhide hidden files and folders. Check this out if you don't know how. http://www.xtra.co.n...1916458,00.html

Restart the computer and delete if found:
C:\WINDOWS\uptodate.exe <<< FILE
C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe <<< FILE
C:\WINDOWS\System32\wnsintsv.exe <<<< FILE

Post a new log when done.

Edited by Archon_Wing, 22 June 2004 - 10:14 PM.

Rights are never important until you don't have them.

#11 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 June 2004 - 09:44 PM

Archon_Wing...

kind thanks for your help in particular and for this website... followed your HijackThis instructions... ran search for ".exe" files you listed and deleted related files... files did not end in ".exe" but were the same names etc... new HijackThis Logfile follows...

if it possible, i would really appreciate if you would email me and i will not take up much of your time... just had a few questions regarding antivirus software/programs and running scans that do not repair archive/archives files [files in archive/archives folders ?!]... i do not know if this request is against spywareinfo protocol [or even just in poor taste/bad manners]... if either is the case i certainly do apologize... i did read article/section on spywareinfo website regarding steps to take to prevent future infection, just have a few specific questions...

either way, i am very appreciative for your help thusfar and will make donations/contributions... also, if you care for a book/cd/whatever on Amazon, i will send to you...

cheers...
newsatten.





Logfile of HijackThis v1.97.7
Scan saved at 9:59:56 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RealUpdater.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Scott Zimmerman\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.briefing....epth/InPlay.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [KITCO] C:\Program Files\Kitco\Kcast\Kcast
O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


one last thing... when i attempted to add this reply and click "Add Reply" button, Microsoft IE prompted error dialogue box that it need to shut down... anyway, perhaps just heavy internet traffic or should i be concerned...? so, i post this from another computer...

#12 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 26 June 2004 - 12:02 AM

If you have any other questions, I think you're better off posting it in this forum or ask in the chat room (Instructions found in my signatures). I'm not one to check email that often and believe it or not, I don't know everything. :rofl:

But, most virus scans have the option of enabling/disabling scanning archive files. That affects whether they get fixed or not.

Your log looks clean. Take care!
Rights are never important until you don't have them.

#13 newsatten

newsatten

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 29 June 2004 - 09:16 PM

much kind thanks for your help...
newsatten.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button