Solved XP Pro Hacked: Lost Admin rights on User Account!

[Resolved] XP Pro Hacked: Lost Admin rights on User Account!

Hi....new member here looking for some help. I believe my Windows XP Pro machine has been hacked (or hit by a virus).

I have lost ALL "Computer Administrator" rights on my user account. The Control Panel is missing from the Start Menu, I can not access the Task Manager, right-click on Desktop Properties or go to Windows Update.

I keep getting a message stating that I have a "Limited Account" and that I can not access those features.

In SAFE MODE (logged as "Administrator ")....the user account is displayed as Computer Administrator, yet it's still acting like a Limited Account.

So I decided to create another Admin User Account and DELETE the the other hacked account. I copied all the necessary files from one account to the other, but when trying to delete/remove the 1st account....I received a "8007042" error message and the deletion process failed to complete.

I'm really hoping to correct this issue WITHOUT formatting or re-installing Windows XP (since I can not find my Recovery CD and my pc is out of warranty).

I have already run a Virus scan (found "printer.exe" trojan....which was removed; not sure if related to this issue or not?) and Spyware scans (clean).

Is there a way to RESTORE Computer Administration rights back to my User Account via Registry Tweaking or some other modification or program???

I was told that this forum would be useful.....so any help/info/suggestions would be greatly appreciated.

Thanks.

 

Hi,

Thanks for your help. Here's my HJT log below.

Also KIS 7 recent found and Quarantined 2 "trojans" (c:\windows\system32\winavxx.exe and c:\windows\system32\printer.exe)

----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:45 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Steph\Desktop\PC Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

 

And another welcome to WindowsBBS

Lets run a tool that's been updated for this infection. Download SmitfraudFix by S!Ri, saving it to the desktop.

• Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.
• Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.
• You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.
• If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.
• Reboot to normal mode when the tool completes.

Note: You must be logged onto an account with administrator privileges to complete the following.​

Download Deckard's System Scanner (dss.exe) to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt and the SmitfraudFix log at C:\rapport.txt

 

Hi noahdfear,

Thanks for your help. It seems to have done the trick. I can now access my Control Panel, Task Manager, Properties and go to Windows Update.

However I encountered during Windows Update. there were 8 updates available and it FAILED to install all of them. There was no error message or code....it just said "a problem with your computer prevented the updates from installing. "

Below are the logs you requested:

---------------------------------------
-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-11-05 04:15:28 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Steph.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:57 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Steph\Desktop\dss.exe
C:\DOCUME~1\Steph\Desktop\PCTOOL~1\Steph.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime
O4 - HKLM\..\Run: [AVP] 'C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe'
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 3704 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Rss - c:\windows\system32\drivers\rss.sys <Not Verified; Raxco Software, Inc.; Raxco Software, Inc. rss>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ISRService (FirstDefense-ISR Service) - c:\$isr\$app\setup\isrservice.exe <Not Verified; Raxco Software, Inc.; FirstDefense-ISR>

S3 CachemanXPService (CachemanXP) - c:\program files\cachemanxp\cachemanxp.exe <Not Verified; Outertech; >
S3 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: USB Camera
Device ID: USB\VID_05A9&PID_8519&MI_00\6&280F7049&0&0000
Manufacturer:
Name: USB Camera
PNP Device ID: USB\VID_05A9&PID_8519&MI_00\6&280F7049&0&0000
Service:


-- Files created between 2007-10-04 and 2007-11-04 -----------------------------

2007-11-04 22:03:48 1512 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-04 22:03:12 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 22:03:12 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-04 22:03:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-04 22:03:12 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-04 22:03:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-02 16:23:05 0 d-------- C:\Program Files\bfgclient
2007-11-02 16:23:05 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-29 17:30:52 0 dr-h----- C:\Documents and Settings\Steph\Recent
2007-10-28 22:56:53 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-28 22:56:53 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-28 21:21:19 280 --a------ C:\WINDOWS\system32\PDBootState
2007-10-28 20:52:35 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 20:14:50 0 d-------- C:\Documents and Settings\Steph\Application Data\Sunbelt Software
2007-10-28 20:14:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-28 20:11:30 0 d-------- C:\Program Files\Sunbelt Software
2007-10-28 19:53:38 81549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-28 19:53:38 82061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-28 19:52:26 0 d-------- C:\Program Files\Kaspersky Lab
2007-10-28 19:52:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-28 19:52:20 49952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-28 19:52:20 6379552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-28 19:47:23 0 d-------- C:\KAV
2007-10-28 19:17:55 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-10-28 18:53:58 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-10-15 21:13:09 0 d-------- C:\Documents and Settings\Steph\Application Data\ZoomBrowser EX
2007-10-14 20:43:16 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-14 20:42:43 0 d-------- C:\Program Files\Canon
2007-10-14 20:41:45 0 d-------- C:\Program Files\Common Files\Canon


-- Find3M Report ---------------------------------------------------------------

2007-11-04 22:11:51 0 d-------- C:\Program Files\cFosSpeed
2007-10-28 22:52:54 0 d-------- C:\Program Files\XP Smoker
2007-10-28 19:27:19 0 d-------- C:\Program Files\Common Files
2007-10-28 19:14:32 0 d-------- C:\Program Files\Registry Smoker
2007-10-28 19:00:53 0 d-------- C:\Program Files\RegHealer
2007-10-28 18:56:48 0 d-------- C:\Program Files\CachemanXP
2007-10-28 18:41:37 27032 --a----c- C:\WINDOWS\system32\tcpipbak.reg
2007-09-26 22:41:37 0 d-------- C:\Program Files\Trend Micro
2007-09-26 20:10:58 0 d-------- C:\Documents and Settings\Steph\Application Data\Move Networks
2007-09-23 14:14:45 0 d-------- C:\Program Files\Ace Utilities
2007-09-15 19:47:55 0 d-------- C:\Documents and Settings\Steph\Application Data\funkitron
2007-09-15 19:47:14 0 d-------- C:\Program Files\Slingo ® Deluxe
2007-09-15 09:49:39 0 d-------- C:\Program Files\Slingo Quest
2007-09-15 09:49:37 0 d-------- C:\Documents and Settings\Steph\Application Data\SpinTop
2007-08-29 15:10:49 3350 --ahs--c- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-29 15:10:45 56 -r-hs--c- C:\WINDOWS\system32\044FB2F2B2.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
'WinPatrol'='C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe' [10/26/2007 10:06 AM]
'cFosSpeed'='C:\Program Files\cFosSpeed\cFosSpeed.exe' [10/29/2007 05:02 PM]
'QuickTime Task'='C:\Program Files\QuickTime\qttask.exe' [10/25/2006 06:58 PM]
'AVP'='C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe' [06/28/2007 11:51 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
'InstallVisualStyle'=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
'InstallTheme'=C:\WINDOWS\Resources\Themes\Royale.theme
'RunStartupScriptSync'=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
'DisableRegistryTools'=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
'NoLowDiskSpaceChecks'=1 (0x1)
'NoInstrumentation'=1 (0x1)
'NoSMBalloonTip'=0 (0x0)
'NoDesktopCleanupWizard'=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
'appinit_dlls'=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@='Service'

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
'QuickTime Task'='C:\Program Files\QuickTime\qttask.exe' -atboottime
'SBCSTray'=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
'ISR_MONITOR'=C:\$ISR\$APP\ISRMonitor.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]




-- End of Deckard's System Scanner: finished at 2007-11-04 22:18:11 -------------------------------------------------------

SmitFraudFix v2.248

Scan done at 22:07:06.07, Sun 11/04/2007
Run from C:\Documents and Settings\Steph\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F054F42F-13C4-4710-9C97-2C7C93AE4684}:
DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F054F42F-13C4-4710-9C97-2C7C93AE4684}:
DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F054F42F-13C4-4710-9C97-2C7C93AE4684}:
DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125
24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125
24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125
24.93.41.126


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

A bit more to do. Download ComboFix by sUBs from here, saving the file to your desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Hi,

Below are the logs you requested. Cheers.
---------------------------------------------
ComboFix 07-11-07.3 - Steph 2007-11-06 19:57:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.60 [GMT
-6:00]
Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07)))))))))))))))))))))))))))))))
.

2007-11-06 19:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 00:32 <DIR> d-------- C:\Program Files\MSBuild
2007-11-05 00:26 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-11-05 00:25 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-05 00:23 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-05 00:23 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-11-04 22:14 <DIR> d-------- C:\Deckard
2007-11-04 22:03 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-04 22:03 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-04 22:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-04 22:03 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-04 22:03 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 22:03 1,512 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 21:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-11-02 21:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-11-02 21:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-11-02 21:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-11-02 21:53 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-11-02 21:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-11-02 21:53 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-11-02 21:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-11-02 16:23 <DIR> d-------- C:\Program Files\bfgclient
2007-11-02 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-29 19:42 706,512 -ra------C:\WINDOWS\system32\drivers\cfosspeed.sys
2007-10-29 13:51 116,224 --a------C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-29 13:51 27,648 --a------C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-29 13:51 23,040 --a------C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-29 13:51 17,408 --a------C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-29 13:51 4,608 --a------C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-29 13:22 290,816 --a------C:\WINDOWS\system32\dllcache\adsiis51.dll
2007-10-29 13:22 188,480 --a------C:\WINDOWS\system32\dllcache\cfgwiz.exe
2007-10-29 13:22 46,592 --a------C:\WINDOWS\system32\dllcache\coadmin.dll
2007-10-29 13:22 43,520 --a------C:\WINDOWS\system32\dllcache\admwprox.dll
2007-10-29 13:22 20,540 --a------C:\WINDOWS\system32\dllcache\author.dll
2007-10-29 13:22 20,540 --a------C:\WINDOWS\system32\dllcache\admin.dll
2007-10-29 13:22 16,439 --a------C:\WINDOWS\system32\dllcache\author.exe
2007-10-29 13:22 16,439 --a------C:\WINDOWS\system32\dllcache\admin.exe
2007-10-28 22:56 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-28 22:56 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-28 20:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 20:14 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\Sunbelt Software
2007-10-28 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-28 20:11 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-10-28 19:53 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-28 19:53 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-28 19:52 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-10-28 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-28 19:52 7,368,736 --ahs----C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-28 19:52 105,248 --ahs----C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-28 19:47 <DIR> d-------- C:\KAV
2007-10-28 19:17 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-10-15 21:13 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\ZoomBrowser EX
2007-10-15 21:05 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-10-15 21:05 15,104 --a------C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-15 21:05 15,104 --a------C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-15 21:05 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-10-14 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-14 20:42 <DIR> d-------- C:\Program Files\Canon
2007-10-14 20:41 <DIR> d-------- C:\Program Files\Common Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-07 01:55 --------- d-----w C:\Program Files\cFosSpeed
2007-11-07 01:54 99,500 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-07 01:54 10,748 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-29 23:02 281,552 ----a-w C:\WINDOWS\system32\cfosspeed.dll
2007-10-29 04:52 --------- d-----w C:\Program Files\XP Smoker
2007-10-29 01:14 --------- d-----w C:\Program Files\Registry Smoker
2007-10-29 01:00 --------- d-----w C:\Program Files\RegHealer
2007-10-29 00:56 --------- d-----w C:\Program Files\CachemanXP
2007-10-29 00:41 27,032 -c--a-w C:\WINDOWS\system32\tcpipbak.reg
2007-09-27 04:41 --------- d-----w C:\Program Files\Trend Micro
2007-09-27 02:10 --------- d-----w C:\Documents and Settings\Steph\Application Data\Move Networks
2007-09-23 20:14 --------- d-----w C:\Program Files\Ace Utilities
2007-09-16 01:47 --------- d-----w C:\Program Files\Slingo ® Deluxe
2007-09-16 01:47 --------- d-----w C:\Documents and Settings\Steph\Application Data\funkitron
2007-09-16 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-09-15 15:49 --------- d-----w C:\Program Files\Slingo Quest
2007-09-15 15:49 --------- d-----w C:\Documents and Settings\Steph\Application Data\SpinTop
2007-08-29 21:10 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-27 16:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-wC:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_19.49.52.14
)))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-05 06:33:23 70,796 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-07 01:59:24 70,796 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-05 06:33:23 437,702 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 01:59:24 437,702 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WinPatrol "= "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 10:06]
"cFosSpeed "= "C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-10-29 17:02]
"AVP "= "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 11:51]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"PhotoShow Deluxe Media
Manager "= "C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras \mssysmgr.exe" [2005-05-19 15:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\R oyale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale. theme
"RunStartupScriptSync "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoInstrumentation "=1 (0x1)
"NoSMBalloonTip "=0 (0x0)
"NoDesktopCleanupWizard "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_Dlls "=C:\PROGRA~1\KASPER~1\KASPER~1.0\adi alhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" -atboottime
"SBCSTray "=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
"ISR_MONITOR "=C:\$ISR\$APP\ISRMonitor.exe

R0 Rss;Rss;C:\WINDOWS\system32\drivers\Rss.sys
R2 ISRService;FirstDefense-ISR
Service;C:\$ISR\$APP\Setup\ISRService.exe
R3 klim5;Kaspersky Anti-Virus NDIS
Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 CachemanXPService;CachemanXP;C:\Program
Files\CachemanXP\CachemanXP.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command


.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 19:59:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-06 20:00:38
C:\ComboFix2.txt ... 2007-11-06 19:50
.
--- E O F ---

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[/B]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:36 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steph\Desktop\PC Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 3933 bytes

 

It appears you ran ComboFix twice. I'd like to see the log from the first run please.

 

On the 1st run, I had a security program freeze....so I rebooted, turned off the program and ran again. Nothing changed from 1st log to 2nd.

Is this okay?

 

Something did change. There were a number of files removed.

Please post the contents of C:\QooBox\ComboFix-quarantined-files.txt

 

Before the 2nd scan....I deleted 2 "trojans" that were previously quarantined in KIS 7 (c:\windows\system32\winavxx.exe and c:\windows\system32\printer.exe).

Here is the ComboFix log #1 (prior to deletion of those 2 files)....sorry for any inconvenience.
---------------------------------------------------

ComboFix 07-11-07.3 - Steph 2007-11-06 19:45:36.1 - NTFSx86
Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07
)))))))))))))))))))))))))))))))
.

2007-11-06 19:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 00:32 <DIR> d-------- C:\Program Files\MSBuild
2007-11-05 00:26 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-11-05 00:25 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-05 00:23 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-05 00:23 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-11-04 22:42 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-11-04 22:14 <DIR> d-------- C:\Deckard
2007-11-04 22:03 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-04 22:03 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-04 22:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-04 22:03 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-04 22:03 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 22:03 1,512 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 21:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-11-02 21:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-11-02 21:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-11-02 21:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-11-02 21:53 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-11-02 21:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-11-02 21:53 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-11-02 21:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-11-02 16:23 <DIR> d-------- C:\Program Files\bfgclient
2007-11-02 16:23 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\BigFishGamesCache
2007-10-29 19:42 706,512 -ra------
C:\WINDOWS\system32\drivers\cfosspeed.sys
2007-10-29 13:51 116,224 --a------
C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-29 13:51 27,648 --a------
C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-29 13:51 23,040 --a------
C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-29 13:51 17,408 --a------
C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-29 13:51 4,608 --a------
C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-29 13:22 290,816 --a------
C:\WINDOWS\system32\dllcache\adsiis51.dll
2007-10-29 13:22 188,480 --a------
C:\WINDOWS\system32\dllcache\cfgwiz.exe
2007-10-29 13:22 46,592 --a------
C:\WINDOWS\system32\dllcache\coadmin.dll
2007-10-29 13:22 43,520 --a------
C:\WINDOWS\system32\dllcache\admwprox.dll
2007-10-29 13:22 20,540 --a------
C:\WINDOWS\system32\dllcache\author.dll
2007-10-29 13:22 20,540 --a------
C:\WINDOWS\system32\dllcache\admin.dll
2007-10-29 13:22 16,439 --a------
C:\WINDOWS\system32\dllcache\author.exe
2007-10-29 13:22 16,439 --a------
C:\WINDOWS\system32\dllcache\admin.exe
2007-10-28 22:56 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-28 22:56 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-28 20:52 <DIR> d-a------ C:\Documents and Settings\All
Users\Application Data\TEMP
2007-10-28 20:14 <DIR> d-------- C:\Documents and
Settings\Steph\Application Data\Sunbelt Software
2007-10-28 20:14 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\Sunbelt Software
2007-10-28 20:11 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-10-28 19:53 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-28 19:53 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-28 19:52 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-10-28 19:52 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\Kaspersky Lab
2007-10-28 19:52 7,327,520 --ahs----
C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-28 19:52 102,688 --ahs----
C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-28 19:47 <DIR> d-------- C:\KAV
2007-10-28 19:17 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-10-15 21:13 <DIR> d-------- C:\Documents and
Settings\Steph\Application Data\ZoomBrowser EX
2007-10-15 21:05 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-10-15 21:05 15,104 --a------
C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-15 21:05 15,104 --a------
C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-15 21:05 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-10-14 20:43 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\ZoomBrowser
2007-10-14 20:42 <DIR> d-------- C:\Program Files\Canon
2007-10-14 20:41 <DIR> d-------- C:\Program Files\Common Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 01:41 --------- d-----w C:\Program Files\cFosSpeed
2007-11-06 06:12 96,524 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-06 06:12 9,620 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-29 23:02 281,552 ----a-w C:\WINDOWS\system32\cfosspeed.dll
2007-10-29 04:52 --------- d-----w C:\Program Files\XP Smoker
2007-10-29 01:14 --------- d-----w C:\Program Files\Registry Smoker
2007-10-29 01:00 --------- d-----w C:\Program Files\RegHealer
2007-10-29 00:56 --------- d-----w C:\Program Files\CachemanXP
2007-10-29 00:41 27,032 -c--a-w C:\WINDOWS\system32\tcpipbak.reg
2007-09-27 04:41 --------- d-----w C:\Program Files\Trend Micro
2007-09-27 02:10 --------- d-----w C:\Documents and
Settings\Steph\Application Data\Move Networks
2007-09-23 20:14 --------- d-----w C:\Program Files\Ace Utilities
2007-09-16 01:47 --------- d-----w C:\Program Files\Slingo ® Deluxe
2007-09-16 01:47 --------- d-----w C:\Documents and
Settings\Steph\Application Data\funkitron
2007-09-16 01:47 --------- d-----w C:\Documents and Settings\All
Users\Application Data\Trymedia
2007-09-15 15:49 --------- d-----w C:\Program Files\Slingo Quest
2007-09-15 15:49 --------- d-----w C:\Documents and
Settings\Steph\Application Data\SpinTop
2007-08-29 21:10 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-27 16:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w
C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w
C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w
C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w
C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w
C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w
C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w
C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w
C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w
C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w
C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w
C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w
C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w
C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w
C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w
C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w
C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w
C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w
C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w
C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w
C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w
C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w
C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w
C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w
C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-w
C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w
C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w
C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol "= "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
[2007-10-26 10:06]
"cFosSpeed "= "C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-10-29
17:02]
"AVP "= "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
7.0\avp.exe" [2007-06-28 11:51]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-10-25
18:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media
Manager "= "C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2005-05-19 15:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme
"RunStartupScriptSync "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation "=1 (0x1)
"NoSMBalloonTip "=0 (0x0)
"NoDesktopCleanupWizard "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\windows]
"AppInit_Dlls "=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" -atboottime
"SBCSTray "=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
"ISR_MONITOR "=C:\$ISR\$APP\ISRMonitor.exe

R0 Rss;Rss;C:\WINDOWS\system32\drivers\Rss.sys
R2 ISRService;FirstDefense-ISR
Service;C:\$ISR\$APP\Setup\ISRService.exe
R3 klim5;Kaspersky Anti-Virus NDIS
Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 CachemanXPService;CachemanXP;C:\Program
Files\CachemanXP\CachemanXP.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command


*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 19:49:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 19:50:50
.
--- E O F ---

 

May need to edit registry

You may need to go into the registry and edit a key located at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

I can't remember the name of the key off the top of my head but you'll know it when you see it. Change the value to the opposite of what it is now.

 

Please post the contents of C:\QooBox\ComboFix-quarantined-files.txt

Run Deckard's System Scanner again and post the main.txt log too.

Thanks!

 

Other than "(default) ".....it lists the following 2:

NoDriveAutoRun: 0x03ffffff (67108863)
NoDriveTypeAutoRun: 0x000000ff (255)

 

Hi,

NO such file exists in that particular location. Might it be stored somewhere else?

Here it is. Thanks for your help and patience.

++++++++++++++++++++++++++++++++++++++++++++++++++++

Deckard's System Scanner v20071014.68
Run by Steph on 2007-11-07 23:00:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis (run as Steph.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:45 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Steph\Desktop\dss.exe
C:\DOCUME~1\Steph\Desktop\PCTOOL~1\Steph.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 4122 bytes
-- Files created between 2007-10-07 and 2007-11-07 -----------------------------
2007-11-07 00:46:35 0 d-------- C:\Program Files\MSXML 6.0
2007-11-05 00:32:28 0 d-------- C:\Program Files\MSBuild
2007-11-05 00:26:37 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-11-05 00:25:17 0 d-------- C:\Program Files\Reference Assemblies
2007-11-05 00:23:08 0 d-------- C:\5978a055841da56daca2
2007-11-04 22:24:03 0 dr-h----- C:\Documents and Settings\Steph\Recent
2007-11-04 22:03:48 1512 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-04 22:03:12 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 22:03:12 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-04 22:03:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-04 22:03:12 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-04 22:03:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-02 16:23:05 0 d-------- C:\Program Files\bfgclient
2007-11-02 16:23:05 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-28 22:56:53 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-28 22:56:53 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-28 21:21:19 280 --a------ C:\WINDOWS\system32\PDBootState
2007-10-28 20:52:35 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 20:14:50 0 d-------- C:\Documents and Settings\Steph\Application Data\Sunbelt Software
2007-10-28 20:14:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-28 20:11:30 0 d-------- C:\Program Files\Sunbelt Software
2007-10-28 19:53:38 81549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-28 19:53:38 82061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-28 19:52:26 0 d-------- C:\Program Files\Kaspersky Lab
2007-10-28 19:52:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-28 19:52:20 112160 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-28 19:52:20 7630368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-28 19:47:23 0 d-------- C:\KAV
2007-10-28 19:17:55 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-10-28 18:53:58 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-10-15 21:13:09 0 d-------- C:\Documents and Settings\Steph\Application Data\ZoomBrowser EX
2007-10-14 20:43:16 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-14 20:42:43 0 d-------- C:\Program Files\Canon
2007-10-14 20:41:45 0 d-------- C:\Program Files\Common Files\Canon

-- Find3M Report ---------------------------------------------------------------
2007-11-07 22:58:43 0 d-------- C:\Program Files\cFosSpeed
2007-10-28 22:52:54 0 d-------- C:\Program Files\XP Smoker
2007-10-28 19:27:19 0 d-------- C:\Program Files\Common Files
2007-10-28 19:14:32 0 d-------- C:\Program Files\Registry Smoker
2007-10-28 19:00:53 0 d-------- C:\Program Files\RegHealer
2007-10-28 18:56:48 0 d-------- C:\Program Files\CachemanXP
2007-10-28 18:41:37 27032 --a----c- C:\WINDOWS\system32\tcpipbak.reg
2007-09-26 22:41:37 0 d-------- C:\Program Files\Trend Micro
2007-09-26 20:10:58 0 d-------- C:\Documents and Settings\Steph\Application Data\Move Networks
2007-09-23 14:14:45 0 d-------- C:\Program Files\Ace Utilities
2007-09-15 19:47:55 0 d-------- C:\Documents and Settings\Steph\Application Data\funkitron
2007-09-15 19:47:14 0 d-------- C:\Program Files\Slingo ® Deluxe
2007-09-15 09:49:39 0 d-------- C:\Program Files\Slingo Quest
2007-09-15 09:49:37 0 d-------- C:\Documents and Settings\Steph\Application Data\SpinTop
2007-08-29 15:10:49 3350 --ahs--c- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-29 15:10:45 56 -r-hs--c- C:\WINDOWS\system32\044FB2F2B2.sys

-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol "= "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [10/26/2007 10:06 AM]
"cFosSpeed "= "C:\Program Files\cFosSpeed\cFosSpeed.exe" [10/29/2007 05:02 PM]
"AVP "= "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [06/28/2007 11:51 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [10/25/2006 06:58 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager "= "C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [05/19/2005 03:59 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme
"RunStartupScriptSync "=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks "=1 (0x1)
"NoInstrumentation "=1 (0x1)
"NoSMBalloonTip "=0 (0x0)
"NoDesktopCleanupWizard "=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@= "Service "
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" -atboottime
"SBCSTray "=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
"ISR_MONITOR "=C:\$ISR\$APP\ISRMonitor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]


-- End of Deckard's System Scanner: finished at 2007-11-07 23:03:14 ------------

 

Your logs look good. Scan again with HijackThis and place a check next to the following entry then click Fix Checked.

O24 - Desktop Component 0: (no name) - (no file)

Close HijackThis.

Despite having Kaspersky installed, I'd like for you to run an online scan so we can see if anything was missed.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.


How's your computer performing now?

 

Hi,

Below are the logs from HJT and Kaspersky online scan. I checked [O24 - Desktop Component 0: (no name) - (no file)] in HJT but it still showed up after a reboot and a rescan.

Computer seems well except that I am unable to *install* any Windows Update components (getting a "a problem with your computer prevented the updates from installing" message).
-------------------------------------------------------

Saturday, November 10, 2007 7:04:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 456088
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 124781
Number of viruses found 1
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 01:38:53

Infected Object Name Virus Name Last Action
C:\$ISR\$ISR Object is locked skipped
C:\$ISR\$LOGS\ISR.log Object is locked skipped
C:\$ISR\0\$ISRBIN Object is locked skipped
C:\$ISR\1\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\$ISR\1\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steph\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\History\History.IE5\MSHist012007111020071111\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steph\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steph\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000001.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000001.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000001.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000006.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000020.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

*****************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:25 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Steph\Desktop\PC Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 3963 bytes

 

Delete the following files left behind by SmitfraudFix.

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe

You should also delete the SmitfraudFix.exe file and SmitfraudFix folder.

Empty the recycle bin.

Only a few System restore points infected now. Lets clear those out.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Locate the file at C:\Windows\setupapi.log or setupapi.txt, open it then press Ctrl+End
Click Edit>Find
Type in Access is denied, select the Direction UP then click Find Next.
There should be at least one item dated when you last attempted to update windows. Copy everything 3 - 4 entries above and below that line, then post it here.

 

Hi,

NOTHING is coming up when I tried the above. The field is empty.