Corrupt downloads

Question

Malwarehunter94 0 Junior Poster in Training

16 Years Ago

Lately everything I download comes out corrupt, only thing I was able to download was some Halo 3 wallpaper for my X-Box, I have tried to download Nod.32 multiple times and the e-mail link does not work, I tried to download AVG-anti-virus twice and it came out corrupt, and every time I try to fix this entry with hijackthis, HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm it just comes back in the next log,

heres my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:12 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1200943665\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1200943665\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [AOL Dialer] "C:\Program Files\Common Files\AOL\ACS\AOlDial.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{497B52B1-A0F9-4EB6-BF08-0AB6F2D730A5}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{497B52B1-A0F9-4EB6-BF08-0AB6F2D730A5}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe

--
End of file - 4869 bytes

windows-virus

2 Contributors
7 Replies
170 Views
4 Days Discussion Span
Latest Post 16 Years Ago Latest Post by MoralTerror

All 7 Replies

MoralTerror 0 Junior Poster

16 Years Ago

Hi Malwarehunter94

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

MoralTerror 0 Junior Poster

16 Years Ago

Hi Malwarehunter94

NoAdaware was previously listed as a rogue AntiSpyware due to false positives and aggressive advertising. Although de-listed since v3.0 it is not an app I would trust. See note

the blank entry in R0 isn't always a sign of malware.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

I see no obvious signs of malware so 1 of your security programs may be preventing that entry from being fixed. To be certain please do the following

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\SwSys1.bmp

Save this asCFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at"C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database:Extended

Scan Options:Scan Archives
Scan Mail Bases

Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Malwarehunter94 0 Junior Poster in Training · Answer 1 · 2008-02-07T01:53:49+00:00

I just ran noadware and it detected and deleted Backdoor.Bifrose and PWS.tans, heres the combofix log:

ComboFix 08-02.05.3 - Owner 2008-02-06 14:07:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.146 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-04 18:55 . 2008-02-04 19:16 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-04 18:55 . 2008-02-04 19:13 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-04 18:55 . 2008-02-04 19:13 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-04 18:55 . 2008-02-04 19:13 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-02 17:29 . 2008-02-02 17:29 361 --a------ C:\WINDOWS\system32\QuickTime.qtp
2008-02-01 19:13 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-02-01 19:13 . 2003-09-19 15:47 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-02-01 19:13 . 1998-07-21 20:29 21 --a------ C:\WINDOWS\CS_SETUP.ini
2008-02-01 13:33 . 2008-02-01 13:33 <DIR> d-------- C:\Program Files\COMODO
2008-02-01 13:33 . 2008-02-01 13:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Comodo
2008-02-01 13:33 . 2008-02-01 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-02-01 13:33 . 2008-02-01 13:33 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-02-01 13:33 . 2008-02-01 13:33 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-01 13:33 . 2008-02-01 13:33 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-01-27 23:17 . 2008-01-27 23:17 0 --ah----- C:\WINDOWS\SwSys2.bmp
2008-01-27 23:17 . 2008-01-27 23:17 0 --ah----- C:\WINDOWS\SwSys1.bmp
2008-01-27 21:47 . 2008-01-27 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-26 21:39 . 2008-02-06 14:10 3,385,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-26 21:39 . 2008-02-06 14:10 72,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-26 21:39 . 2008-02-06 03:15 39,668 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-26 21:39 . 2008-02-06 03:15 7,412 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-26 21:38 . 2008-01-26 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-26 21:34 . 2007-12-18 00:44 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2008-01-26 16:27 . 2005-08-25 18:19 1,066,176 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-01-26 16:27 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-26 16:27 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-26 12:26 . 2008-01-26 12:26 <DIR> d-------- C:\WINDOWS\Sun
2008-01-26 00:55 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-25 19:50 . 2008-01-27 23:05 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-25 19:49 . 2008-01-25 19:50 <DIR> d-------- C:\Program Files\CCleaner
2008-01-25 12:17 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-25 12:17 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-25 12:17 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-25 12:17 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-25 12:17 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-25 12:17 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-25 12:17 . 2008-01-29 16:38 1,128 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-24 19:54 . 2008-01-24 19:54 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-01-24 19:16 . 2008-01-24 19:16 <DIR> d-------- C:\Program Files\InCode Solutions
2008-01-24 19:13 . 2008-01-24 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-24 19:12 . 2008-01-24 19:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PrevxCSI
2008-01-21 20:04 . 2008-01-21 20:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 14:44 . 2008-01-21 14:44 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-21 14:27 . 2008-01-21 14:27 <DIR> d-------- C:\WINDOWS\aolshare
2008-01-21 14:27 . 2008-01-21 14:30 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-01-21 14:27 . 2008-01-21 15:58 <DIR> d-------- C:\Program Files\AOL 9.1
2008-01-21 14:27 . 2008-01-21 14:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-21 10:05 . 2008-01-21 10:05 4 --a------ C:\WINDOWS\msoffice.ini
2008-01-20 20:38 . 2008-01-20 20:38 <DIR> d-------- C:\Program Files\AskSBar
2008-01-20 20:38 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-20 20:28 . 2008-01-20 20:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-20 19:13 . 2008-01-20 19:13 164 --a------ C:\install.dat
2008-01-20 16:25 . 2008-01-20 16:25 <DIR> d-------- C:\kav
2008-01-20 14:51 . 2008-01-24 14:10 250 --a------ C:\WINDOWS\gmer.ini
2008-01-19 22:33 . 2008-01-20 14:14 <DIR> d-------- C:\Program Files\Google
2008-01-19 22:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-19 22:29 . 2008-01-19 22:30 <DIR> d-------- C:\Program Files\Java
2008-01-19 22:29 . 2008-01-19 22:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-06 14:57 . 2008-01-06 14:57 <DIR> d-------- C:\Program Files\TryMedia
2008-01-06 14:57 . 2008-01-06 14:57 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-01-06 14:56 . 2008-01-06 14:56 <DIR> d-------- C:\Program Files\Alawar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 20:11 --------- d-----w C:\Program Files\NoAdware5.0
2008-01-21 19:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-01-21 19:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-21 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-21 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-20 21:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-27 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-27 22:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-27 01:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Viewpoint
2007-12-23 18:29 --------- d-----w C:\Program Files\QuickTime
2007-12-23 18:29 --------- d-----w C:\Program Files\Common Files\Nikon
2007-12-23 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft(2)
2007-12-13 18:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2007-12-12 21:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-07 00:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 00:37 --------- d-----w C:\Program Files\Nikon
2007-12-07 00:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Nikon
2007-12-07 00:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-07 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-12-07 00:34 --------- d-----w C:\Program Files\ArcSoft
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Dialer"="C:\Program Files\Common Files\AOL\ACS\AOlDial.exe" [2006-10-23 07:50 71216]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2007-10-31 12:46 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1200943665\ee\AOLSoftware.exe" [2007-05-25 12:16 42032]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 15:54 77824 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 20:05 339968]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-01 13:33 1481472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-01 13:33]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-01 13:33]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d26910a2-60e1-11dc-94cc-001109043a64}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddeb7f96-6c8f-11dc-b7e1-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 14:10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-02-06 14:11:23
ComboFix-quarantined-files.txt 2008-02-06 19:11:13
ComboFix2.txt 2008-01-25 23:43:28
.
2008-01-10 08:03:09 --- E O F ---

and heres hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:21 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\AOL\1200943665\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1200943665\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [AOL Dialer] "C:\Program Files\Common Files\AOL\ACS\AOlDial.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{497B52B1-A0F9-4EB6-BF08-0AB6F2D730A5}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{497B52B1-A0F9-4EB6-BF08-0AB6F2D730A5}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe

--
End of file - 5010 bytes

Malwarehunter94 0 Junior Poster in Training · Answer 2 · 2008-02-07T03:44:44+00:00

Heres the log:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Wednesday, February 06, 2008 4:51:42 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update:  6/02/2008
 Kaspersky Anti-Virus database records: 552526
-------------------------------------------------------------------------------

Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

Scan Target - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

Scan Statistics:
    Total number of scanned objects: 25798
    Number of viruses found: 1
    Number of infected objects: 5
    Number of suspicious objects: 0
    Duration of the scan process: 00:15:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable   Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\aolusers.fus Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\idb\SNMaster.idx Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db  Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc  Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock   Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb   Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked    skipped
C:\Documents and Settings\LocalService\Cookies\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked    skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked    skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked    skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked    skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.1\IDB\Apps.Lst Object is locked    skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.1\IDB\art.idx  Object is locked    skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.1\IDB\guest.idx    Object is locked    skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.1\IDB\sap.dat  Object is locked    skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.1\IDB\spool.lst    Object is locked    skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_AOL 9.1\IDB\sysnews.lst  Object is locked    skipped
C:\Documents and Settings\Owner\Cookies\index.dat   Object is locked    skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe    RarSFX: infected - 2    skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls   Object is locked    skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked    skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked    skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked    skipped
C:\Documents and Settings\Owner\ntuser.dat  Object is locked    skipped
C:\Documents and Settings\Owner\NTUSER.DAT.LOG  Object is locked    skipped
C:\Program Files\AOL 9.1\download\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    skipped
C:\System Volume Information\_restore{170FBAAB-0CA4-425E-883B-D6BFB013B922}\RP6\change.log  Object is locked    skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked    skipped
C:\WINDOWS\SchedLgU.Txt Object is locked    skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{15FE8C09-67DC-45AD-B607-7E8E52D4E12F}.bin   Object is locked    skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked    skipped
C:\WINDOWS\Sti_Trace.log    Object is locked    skipped
C:\WINDOWS\system32\CatRoot2\edb.log    Object is locked    skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb    Object is locked    skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked    skipped
C:\WINDOWS\system32\config\default  Object is locked    skipped
C:\WINDOWS\system32\config\default.LOG  Object is locked    skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked    skipped
C:\WINDOWS\system32\config\SAM  Object is locked    skipped
C:\WINDOWS\system32\config\SAM.LOG  Object is locked    skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked    skipped
C:\WINDOWS\system32\config\software Object is locked    skipped
C:\WINDOWS\system32\config\software.LOG Object is locked    skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked    skipped
C:\WINDOWS\system32\config\system   Object is locked    skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked    skipped
C:\WINDOWS\system32\drivers\fidbox.dat  Object is locked    skipped
C:\WINDOWS\system32\drivers\fidbox.idx  Object is locked    skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked    skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked    skipped
C:\WINDOWS\system32\h323log.txt Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked    skipped
C:\WINDOWS\wiadebug.log Object is locked    skipped
C:\WINDOWS\wiaservc.log Object is locked    skipped
C:\WINDOWS\WindowsUpdate.log    Object is locked    skipped

Scan process completed.

MoralTerror 0 Junior Poster · Answer 3 · 2008-02-07T14:04:27+00:00

I'm still not seeing anything, Kaspersky only flags the SmitfraudFix tool. It's not malware but does get detected because of the power of some of components or routines. The tool is updated regularly so you would need a fresh download if you were to need SmitfraudFix again so you can delete the following File and Folder.

C:\Documents and Settings\Owner\Desktop\SmitfraudFix
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe

Did you download the corrupt files from official/legit locations?

Please download this tool > System Repair Engineer

Extract it to it's own folder & double click SREng.exe to run it
Select 'Smart Scan' & tick "Verify Digital Signatures"
Click on the [[b]Scan[/b]] button
When finished, click on the [[b]Save Reports[/b]] button & save the log to Desktop
Attach the log in your next reply. Dont post it

Note: You may have to rename SREngLog.log to SREngLog.txt before attaching

Malwarehunter94 0 Junior Poster in Training · Answer 4 · 2008-02-08T20:00:17+00:00

Yeah, from the Grisoft website and Gamespot, I can now download stuff, so thanks for your help.

MoralTerror 0 Junior Poster · Answer 5 · 2008-02-09T02:32:07+00:00

MoralTerror 0 Junior Poster

16 Years Ago

Glad to hear that. You are very welcome

Corrupt downloads

Recommended Answers Collapse Answers

All 7 Replies

Recommended Answers