[Psychaospath]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 22, 2008 6:19:15 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/01/2008
Kaspersky Anti-Virus database records: 526417
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 67894
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:23:16
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temp\Perflib_Perfdata_928.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temp\Perflib_Perfdata_d14.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard\ntuser.dat Object is locked skipped
C:\Documents and Settings\Richard\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP144\A0092919.dll Infected: not-a-virus:AdWare.Win32.Shopper.q skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP174\A0101637.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP175\A0101657.dll Infected: not-a-virus:AdWare.Win32.Shopper.q skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP176\A0101757.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP176\A0101772.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{8976CBE2-1549-4661-87C3-C00D39BB8C88}\RP180\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\RTacDbg.txt Object is locked skipped
C:\WINDOWS\S8610E483.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\ALCXWDMM.sys Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

[evilfantasy]

There is only one place in the log that needs fixed.


Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and save it to your desktop.

Double click OTMoveIt2.exe to launch it.

Be sure there is a check mark next to Unregister Dll's and OCX's

• Copy the file path in the code box below to the clipboard by highlighting ALL of them.
• Then right-click and choose copy.

Code:

 C:\Program Files\Morpheus\morpheustoolbar.exe

• Return to OTMoveIt, right click in the Paste List of Files/Folders to be moved window and choose Paste.
• Click the red MoveIt! button.
• The list will be processed and the results will appear in the right hand pane.
• Copy everything on the Results window to the clipboard by highlighting ALL of them.
• Then right-click and choose copy, and paste it on your next reply.
• When finished click Exit to exit the program.
• Please add the log in your next reply.

• If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.

• If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at : C:\_OTMoveIt\MovedFiles\********_******.log
• (where "********_******" is the "date_time")

Click Exit to close OTMoveIt.

Next post
OTMoveIt log

[Psychaospath]

C:\Program Files\Morpheus\morpheustoolbar.exe moved successfully.

OTMoveIt2 v1.0.12 log created on 01222008_164000

[Psychaospath]

still have popups though

[evilfantasy]

Finally!!!!!!!!!

How is the computer now?

[evilfantasy]

Download SmitfraudFix (by S!Ri) to your Desktop.

• Extract all the files to your Destop.
• A folder named SmitfraudFix will be created on your Desktop.

• Open the SmitfraudFix folder and double-click smitfraudfix.cmd

• Select option #1 - Search by typing 1 and press Enter
  • This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
  • When it is done, the results of the scan will be displayed and it will create a log named rapport.txt
    • This is in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
  • Please attach that log in your next reply.

• Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consultin...rocessutil.htm

[Psychaospath]

SmitFraudFix v2.274
Scan done at 16:49:12.00, Tue 01/22/2008
Run from C:\Documents and Settings\Richard\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Richard

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Richard\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Richard\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 24.197.160.21
DNS Server Search Order: 24.197.160.18
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB017379-BE3F-4F32-BB52-0B56B6717D3F}: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB017379-BE3F-4F32-BB52-0B56B6717D3F}: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CB017379-BE3F-4F32-BB52-0B56B6717D3F}: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.197.160.21 24.197.160.18

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

[evilfantasy]

Go to add/remove programs and look for Windows Messenger <<Not MSN Messenger
If it is there uninstall it.

----------

PLease download, install, update and run CounterSpy

Download CounterSpy V2 CounterSpy is a 15 day full featured evaluation.

1. Double click the installer on the desktop
2. After Counterspy is installed and you have restarted your computer (if prompted), double-click the icon on
your desktop to begin the install.
3. The Getting Started setup wizard opens. The wizard will guide you through the initial steps needed to configure CounterSpy.
** When the Activate Now prompt appears just click Next

To scan you computer
1. Click System Scan on the main page. The System Scan page opens.
2. Set the scan options on the left side of the page. We recommend selecting Full System scan.
3. Click Scan Now. CounterSpy starts scanning your computer. After the scan is complete, the
CounterSpy System Scan Results summary window opens.
4. Review the summarized information, then click View Results. You return to the System Scan
results page.

To take action against a security risk
1. Select a security risk.
2. Make a selection from the Recommended Action drop down menu next to it and select Remove
** Select Remove in all menus
3. Check the Create restore point option. This will create the Windows backup (useful in case something goes wrong). Then press Take Action
4. Now CounterSpy will ask you to confirm your actions. Press Yes within the window that appeares. This will start the removal process.
5. The program may need to reboot your computer. Clicking Yes if prompted is highly recommended.
--
To manage the quarantined spyware
* CounterSpy maintains a backup of quarantined items.
* To access the Quarantine click on the View menu, select Spyware Scan and then choose the Manage Spyware Quarantine option.
* To remove certain item from the quarantine, place a checkmark next to it and click Permanently remove all checked items. (use this option)
* To restore an item click on the Un-quarantine all checked items link. (un-quarantine is only to be used if the computer is not running correctly due to items being removed by counterspy)

* Clicking on the Check all items link will put a checkmark next to each item. Clicking on Un-check all items will deselect all quarantined threats.

* CounterSpy will ask you to confirm your action. If you want to restore or delete an item, you must reply positively by pressing the Yes button.

* Exit CounterSpy


Next post
Counterspy log