[Resolved] XP Pro Hacked: Lost Admin rights on User Account!

left4dead · 8th November 2007

Quote:

Originally Posted by noahdfear

Please post the contents of C:\QooBox\ComboFix-quarantined-files.txt

Hi,

NO such file exists in that particular location. Might it be stored somewhere else?

Quote:

Run Deckard's System Scanner again and post the main.txt log too.

Here it is. Thanks for your help and patience.

++++++++++++++++++++++++++++++++++++++++++++++++++++

Deckard's System Scanner v20071014.68
Run by Steph on 2007-11-07 23:00:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis (run as Steph.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:45 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Steph\Desktop\dss.exe
C:\DOCUME~1\Steph\Desktop\PCTOOL~1\Steph.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 4122 bytes
-- Files created between 2007-10-07 and 2007-11-07 -----------------------------
2007-11-07 00:46:35 0 d-------- C:\Program Files\MSXML 6.0
2007-11-05 00:32:28 0 d-------- C:\Program Files\MSBuild
2007-11-05 00:26:37 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-11-05 00:25:17 0 d-------- C:\Program Files\Reference Assemblies
2007-11-05 00:23:08 0 d-------- C:\5978a055841da56daca2
2007-11-04 22:24:03 0 dr-h----- C:\Documents and Settings\Steph\Recent
2007-11-04 22:03:48 1512 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-04 22:03:12 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 22:03:12 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-04 22:03:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-04 22:03:12 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-04 22:03:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-02 16:23:05 0 d-------- C:\Program Files\bfgclient
2007-11-02 16:23:05 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-28 22:56:53 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-28 22:56:53 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-28 21:21:19 280 --a------ C:\WINDOWS\system32\PDBootState
2007-10-28 20:52:35 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 20:14:50 0 d-------- C:\Documents and Settings\Steph\Application Data\Sunbelt Software
2007-10-28 20:14:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-28 20:11:30 0 d-------- C:\Program Files\Sunbelt Software
2007-10-28 19:53:38 81549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-28 19:53:38 82061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-28 19:52:26 0 d-------- C:\Program Files\Kaspersky Lab
2007-10-28 19:52:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-28 19:52:20 112160 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-28 19:52:20 7630368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-28 19:47:23 0 d-------- C:\KAV
2007-10-28 19:17:55 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-10-28 18:53:58 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-10-15 21:13:09 0 d-------- C:\Documents and Settings\Steph\Application Data\ZoomBrowser EX
2007-10-14 20:43:16 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-14 20:42:43 0 d-------- C:\Program Files\Canon
2007-10-14 20:41:45 0 d-------- C:\Program Files\Common Files\Canon

-- Find3M Report ---------------------------------------------------------------
2007-11-07 22:58:43 0 d-------- C:\Program Files\cFosSpeed
2007-10-28 22:52:54 0 d-------- C:\Program Files\XP Smoker
2007-10-28 19:27:19 0 d-------- C:\Program Files\Common Files
2007-10-28 19:14:32 0 d-------- C:\Program Files\Registry Smoker
2007-10-28 19:00:53 0 d-------- C:\Program Files\RegHealer
2007-10-28 18:56:48 0 d-------- C:\Program Files\CachemanXP
2007-10-28 18:41:37 27032 --a----c- C:\WINDOWS\system32\tcpipbak.reg
2007-09-26 22:41:37 0 d-------- C:\Program Files\Trend Micro
2007-09-26 20:10:58 0 d-------- C:\Documents and Settings\Steph\Application Data\Move Networks
2007-09-23 14:14:45 0 d-------- C:\Program Files\Ace Utilities
2007-09-15 19:47:55 0 d-------- C:\Documents and Settings\Steph\Application Data\funkitron
2007-09-15 19:47:14 0 d-------- C:\Program Files\Slingo ® Deluxe
2007-09-15 09:49:39 0 d-------- C:\Program Files\Slingo Quest
2007-09-15 09:49:37 0 d-------- C:\Documents and Settings\Steph\Application Data\SpinTop
2007-08-29 15:10:49 3350 --ahs--c- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-29 15:10:45 56 -r-hs--c- C:\WINDOWS\system32\044FB2F2B2.sys

-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [10/26/2007 10:06 AM]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [10/29/2007 05:02 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [06/28/2007 11:51 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 06:58 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [05/19/2005 03:59 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"RunStartupScriptSync"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoLowDiskSpaceChecks"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoSMBalloonTip"=0 (0x0)
"NoDesktopCleanupWizard"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSv c]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SBCSTray"=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
"ISR_MONITOR"=C:\$ISR\$APP\ISRMonitor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

-- End of Deckard's System Scanner: finished at 2007-11-07 23:03:14 ------------

noahdfear · 9th November 2007

Your logs look good. Scan again with HijackThis and place a check next to the following entry then click Fix Checked.

O24 - Desktop Component 0: (no name) - (no file)

Close HijackThis.

Despite having Kaspersky installed, I'd like for you to run an online scan so we can see if anything was missed.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

How's your computer performing now?

left4dead · 11th November 2007

Hi,

Below are the logs from HJT and Kaspersky online scan. I checked [O24 - Desktop Component 0: (no name) - (no file)] in HJT but it still showed up after a reboot and a rescan.

Computer seems well except that I am unable to *install* any Windows Update components (getting a "a problem with your computer prevented the updates from installing" message).
-------------------------------------------------------

Saturday, November 10, 2007 7:04:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 456088
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 124781
Number of viruses found 1
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 01:38:53

Infected Object Name Virus Name Last Action
C:\$ISR\$ISR Object is locked skipped
C:\$ISR\$LOGS\ISR.log Object is locked skipped
C:\$ISR\0\$ISRBIN Object is locked skipped
C:\$ISR\1\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24ad f822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\$ISR\1\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24ad f822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steph\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\History\History.IE5\MSHist012007111020071111\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steph\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steph\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000001.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000001.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000001.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000006.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000020.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

*****************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:25 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Steph\Desktop\PC Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 3963 bytes

noahdfear · 11th November 2007

Delete the following files left behind by SmitfraudFix.

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe

You should also delete the SmitfraudFix.exe file and SmitfraudFix folder.

Empty the recycle bin.

Only a few System restore points infected now. Lets clear those out.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Locate the file at C:\Windows\setupapi.log or setupapi.txt, open it then press Ctrl+End
Click Edit>Find
Type in Access is denied, select the Direction UP then click Find Next.
There should be at least one item dated when you last attempted to update windows. Copy everything 3 - 4 entries above and below that line, then post it here.

left4dead · 11th November 2007

Quote:

Originally Posted by noahdfear

Locate the file at C:\Windows\setupapi.log or setupapi.txt, open it then press Ctrl+End
Click Edit>Find
Type in Access is denied, select the Direction UP then click Find Next.
There should be at least one item dated when you last attempted to update windows. Copy everything 3 - 4 entries above and below that line, then post it here.

Hi,

NOTHING is coming up when I tried the above. The field is empty.

noahdfear · 11th November 2007

Do you mind attaching that log in an email to me so I can study it?

noahdfear · 11th November 2007

Lets try something else. Copy this post to a blank notepad then close all open browser windows.

Click Start>Run and type cmd then hit enter to open a command window.

Highlight and copy the first bolded command below, then right click>Paste it in the command window and hit enter.

net stop wuauserv

regsvr32 wuapi.dll

regsvr32 wuaueng1.dll

regsvr32 wuaueng.dll

regsvr32 wucltui.dll

regsvr32 wups2.dll

regsvr32 wups.dll

regsvr32 wuweb.dll

net start wuauserv

exit

Now do each of the others and restart the computer when done. Try Windows Update again.

left4dead · 12th November 2007

I finally got Windows Update to work. I ran CCleaner, rebooted and checked WU again. Downloaded and installed the remaining updates available.

Do you still need me to post a log or email you as requested above?

Thanks.

noahdfear · 12th November 2007

Nope ....... if it's working there's no need to persue the cause

Glad to hear you got that sorted. Anything else we need to do?

left4dead · 12th November 2007

Quote:

Originally Posted by noahdfear

Nope ....... if it's working there's no need to persue the cause

Glad to hear you got that sorted. Anything else we need to do?

Nope. I'm very appreciative for all the help/support I have received in this thread, especially from you noahdfear. Someone recommended me this site and I'm sure glad I was pointed in this direction. One of the best support forums I have ever visited. Thanks to you all.

Cheers.

noahdfear · 12th November 2007

Glad we could help.