Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected again


  • This topic is locked This topic is locked
15 replies to this topic

#1 ari

ari

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 07 August 2005 - 05:54 AM

Im infected again. Im being redirected to bestweblinks. I have spybot s an d installed, system security suite, adaware se personal, and zone alarm set on high. I have not reinstalled p2p connections sine i last posted around this time last year.
I appreciate any help. here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:08, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\shnlog.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\windows\system32\lzfsxl.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpBF05.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [dypywhb] c:\windows\system32\lzfsxl.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:11 PM

Posted 07 August 2005 - 05:20 PM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup

* Download and install CCleaner
Do not use it yet.

* Download Nail/Aurora Spyware Fix
Do not use it yet.

* Download ewido security suite here: http://www.ewido.net/en/download/
Install and update it. Don't let it scan yet!!

Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

Place a shortcut to Panda ActiveScan on your desktop.


* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpBF05.tmp
O4 - HKLM\..\Run: [dypywhb] c:\windows\system32\lzfsxl.exe r
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


* Click on Fix Checked when finished and exit HijackThis.

* Run Ccleaner and click Run Cleaner (bottom right)

* Still in safe mode; open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot your system back to normal mode.

Download next regfix: Fix_Protocol_zones_ranges
Doubleclick on it and when it asks you if you want to add the contents to the registry, click yes/ok

Click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log by using Add Reply.
Let us know if any problems persist.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ari

ari
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 August 2005 - 03:21 AM

hello
ive followed your instructions upto "reboot your system back to normal". However the "fix protocol zones ranges" link does not work.
ill wait for your instructions before i proceed.

Thankyou
Ari

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:11 PM

Posted 08 August 2005 - 03:25 AM

Hi, that's odd, it works like a charm here though..

Ok, let me attach it here at the bottom of this post.
Unzip it and doubleclick Fix_protocol_zones_ranges.reg
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ari

ari
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 August 2005 - 04:59 AM

hi
i have performed the instructions and saved the logs that you asked for to my desktop, but when i try to access them i receive the following message:
WINDOWS CANNOT FIND NOTEPAD.EXE
THIS PROGRAM IS NEEDED FOR OPENING FILES OF TYPE TEXT DOCUMENT
TYPE IN EXECUTABLE FILE TO BE USED INSTEAD

my hijack this log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:31, on 08/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccojob] c:\windows\system32\sislut.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:11 PM

Posted 08 August 2005 - 05:05 AM

Hi, check and fix next in hijackthis again:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O4 - HKLM\..\Run: [ccojob] c:\windows\system32\sislut.exe r

For your notepad.. can you check if there is a notepad.exe present in your Windows-folder and sysstem32-folder?

Check its properties and tell me the filesize and version. :thumbsup:

Edit.. also use this fix:
http://www.dougknox.com/xp/fileassoc/xp_txt_fix.zip

Unzip it and doubleclick xp_txt_fix.reg to merge it to the registry.
Let me know if you can open txtfiles again afterwards without receiving errors.

Also, did you use the fix_protocols-reg? It seems like you didn't download it from my attachement.

Edited by miekiemoes, 08 August 2005 - 05:10 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ari

ari
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 August 2005 - 05:16 AM

hello
i saved those logs to desktop but when i click on them i get the message
WINDOWS CANNOT FIND NOTEPAD.EXE

i followed the instructions in order and as close as possible so what to do next?

Sorry ive seen you have edited your post so ill check those now :thumbsup:

thanks

Edited by ari, 08 August 2005 - 05:19 AM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:11 PM

Posted 08 August 2005 - 05:18 AM

Hi, read my previous post, I edited a part. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ari

ari
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 August 2005 - 05:41 AM

hello
i fixed the hijack this lines.

in the windows folder i found notepad.exe size 64.5KB, version 5.1.2600.0
system 32 i had to do a file search and found notepad.exe.bak, this was same size and version as windows.

i downloaded the fix and extracted files and merged them, is that unzipping it? i still cannot access the text documents.

with the protocols, after a restart i could access the original link that you posted, so i downloaded from there, not the attachment. Sorry i should have let you know.

thanks

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:11 PM

Posted 08 August 2005 - 05:53 AM

Ok, well, rename the notepad.exe.bak in your system32-folder back to notepad.exe and tell me if that fixed the problem. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 ari

ari
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 August 2005 - 07:22 AM

that worked, i just noticed the very last line of the panda active scan log says "adaware weird on the web". on my list of installed programs, there is a weird on the web program, should i remove that? here are my logs:


smitRem log file
version 2.3

by noahdfear

The current date is: 08/08/2005
The current time is: 8:35:53.06

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :thumbsup:



ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 09:09:19, 08/08/2005
+ Report-Checksum: 9116D9FB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{1F6A3B74-3D40-4D48-4D55-E3A0A8029CC2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{75D05867-E38D-2939-A8D4-F77D51475C5A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8C505A6B-124B-4768-8FD3-1A066C839848} -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\Windows ServeAd -> Spyware.BlazeFind : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pnpsvc -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pnpsvc -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Anjali Shome\Cookies\anjali shome@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Anjali Shome\Cookies\anjali shome@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Dr. Shome\Local Settings\Temporary Internet Files\Content.IE5\KD6ZGD2B\empty[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\WeirdOnTheWeb\weirdontheweb.exe -> Spyware.WeirWeb : Cleaned with backup
C:\WINDOWS\aucfg.ini:vcdrn -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\AuroraHandler.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\d3ol32.exe -> TrojanDownloader.Agent.al : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dba1305.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dba1865.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gba1865.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0009.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\WINDOWS\e.exe:fhrxv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mstasks1.exe -> TrojanDownloader.Monurl : Cleaned with backup
C:\WINDOWS\ntui32.exe -> TrojanDownloader.Agent.al : Cleaned with backup
C:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINDOWS\stubinstaller5975.exe -> TrojanDownloader.Small.asf : Cleaned with backup
C:\WINDOWS\su93qg84.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\axuninstall.exe -> Spyware.BlazeFind : Cleaned with backup
C:\WINDOWS\system32\ecbmkdne.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\hdgcyea.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\ipqj.exe -> TrojanDownloader.Agent.al : Cleaned with backup
C:\WINDOWS\system32\tglrqn6o.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\test:lrgzt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\twain_32.dll:okjkp -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\UNZIP.DLL:leilc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\win.ini:wfldy -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End


Incident Status Location

Adware:adware/weirdontheweb No disinfected C:\DOCUMENTS AND SETTINGS\ARINDAM\FAVORITES\WeirdOnTheWeb.url
Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\ARINDAM\FAVORITES\SITES ABOUT\Ab scissor.url
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\banner.inf
Adware:adware/ncase No disinfected C:\WINDOWS\msbbau.dat
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\toolbar.exe
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Admilli Service
Spyware:spyware/yoursitebar No disinfected C:\PROGRAM FILES\YourSiteBar
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\SahImages
Adware:adware/sqwire No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\arindam\Desktop\Nailfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\arindam\Desktop\Nailfix.zip[Process.exe]
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\banner.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll_tobedeleted
Spyware:Spyware/XXXToolbar No disinfected C:\WINDOWS\toolbar.exe
Adware:Adware/Weirdontheweb No disinfected C:\WINDOWS\weirdontheweb_topc.exe

Edited by ari, 08 August 2005 - 07:30 AM.


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:11 PM

Posted 08 August 2005 - 07:37 AM

Hi,

yes, delete that weirdontheweb-folder. Also delete next folders:

C:\DOCUMENTS AND SETTINGS\ARINDAM\FAVORITES\SITES ABOUT
C:\PROGRAM FILES\Admilli Service
C:\PROGRAM FILES\YourSiteBar
C:\WINDOWS\SYSTEM32\SahImages

and next files:

C:\DOCUMENTS AND SETTINGS\ARINDAM\FAVORITES\WeirdOnTheWeb.url
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\INF\banner.inf
C:\WINDOWS\msbbau.dat
C:\WINDOWS\toolbar.exe
C:\WINDOWS\system32\xmltok.dll_tobedeleted
C:\WINDOWS\weirdontheweb_topc.exe

Let me know afterwards how things are running. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 ari

ari
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 August 2005 - 07:53 AM

hi
everything is working fine, and my homepage isnt being redirected anymore.
i have alot of antivirus software on my computer now, can you advise me on which i can remove.
i have antivir, adaware se personal, spybot s and d, system security suite together with the ones you told me to download.

thanks

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:11 PM

Posted 08 August 2005 - 10:01 AM

Hello ari,

Well, you actually have one antivirus though and that's Antivir. I also suggest not more than one antivirus on your system, because Several together can give problems and decreases the reliability of it seriously! The other ones you are having are mainly antispywareprograms and no antivirus. I can't hurt to have more than one antispywareprogram on your system. Because what one can't find/remove, another one can. But you may decide in here yourself what you would like to keep and what you would like to remove.

I have also adaware Se, ewido, spybot s&d and Microsoft antispyware on my system. I don't let them run in the background but let them scan once in a week.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 ari

ari
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 August 2005 - 10:28 AM

hi
as there wont be any problem with keeping the software that i have, i wont bother removing them.

Thankyou for all your help, i really appreciate it.
Take care :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users