Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Infected With Smitfraud


  • This topic is locked This topic is locked
14 replies to this topic

#1 JohnVacher

JohnVacher

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 16 December 2005 - 08:38 AM

My PC seems to be infected with Smitfraud.
I get a flashing yellow warning triangle in the taskbar. Warning boxes keep appearing on screen. X Softspy keeps detecting Smitfraud but doesnt get rid of it.
I get popups for adult sites appearing on screen.

I went through the instructions on your help screen. "Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer"
Housecall anti virus wouldnt install. But I did all the other steps.

Below is my Hijackthis printout

Please help.




Logfile of HijackThis v1.99.1
Scan saved at 13:30:54, on 16/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PopupsNuker:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\System32\hp461F.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O15 - Trusted Zone: *.line6.net
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {0DA713C9-4D79-6103-52D5-1F492D33E56A} - http://85.255.113.213/1/gdnFR2218.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125083285716
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {750D1C44-75A6-7FA0-D6E0-47371BF1590A} - http://85.255.113.213/1/gdnFR2218.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BB4ABDE-4A32-4848-9F2F-D5F749A12CD9}: NameServer = 85.255.115.118,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{85A834EC-D18D-4436-8814-7165B307F485}: NameServer = 85.255.115.118,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5BB4E7D-F681-485E-8939-22BB82889FD9}: NameServer = 85.255.115.118 85.255.112.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 PM

Posted 17 December 2005 - 10:04 AM

Hello,
We have to do this in more steps, because I see your DNS got hijacked as well and needs a special threatment. We'll deal with that afterwards.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Please download ewido security suite; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\System32\hp461F.tmp
O15 - Trusted Zone: *.line6.net
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {0DA713C9-4D79-6103-52D5-1F492D33E56A} - http://85.255.113.213/1/gdnFR2218.exe
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {750D1C44-75A6-7FA0-D6E0-47371BF1590A} - http://85.255.113.213/1/gdnFR2218.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BB4ABDE-4A32-4848-9F2F-D5F749A12CD9}: NameServer = 85.255.115.118,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{85A834EC-D18D-4436-8814-7165B307F485}: NameServer = 85.255.115.118,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5BB4E7D-F681-485E-8939-22BB82889FD9}: NameServer = 85.255.115.118 85.255.112.12


Check next entry also if you didn't set it yourself:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PopupsNuker:8100

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases) and the Ewido Log by using Add Reply.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 PM

Posted 23 December 2005 - 04:36 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 PM

Posted 28 December 2005 - 12:13 PM

Reopened.

Please post the logs in this thread and not in my Private Message box. :thumbsup:
I also want a hijackthislog made in normal mode and not in safe mode.

Edited by miekiemoes, 28 December 2005 - 12:13 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 JohnVacher

JohnVacher
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 28 December 2005 - 12:30 PM

Panda scan:


Incident Status Location

Adware:adware/ideskbar Not desinfected C:\WINDOWS\system32\drivers\zpmodemnt.sys
Adware:Adware/Popuper Not desinfected C:\WINDOWS\system32\extrac16.exe
Adware:adware/block-checker Not desinfected C:\WINDOWS\system32\ustart.exe
Adware:Adware/IPInsight Not desinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\logwma.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\Winsize.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\4 Internet.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\Chic Title.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\OptionBias.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\date ante.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\Program Dash.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\BallBore.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\InsideSoap.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Inter Warn City Data\Blue vga.exe
Adware:Adware/MediaTickets Not desinfected C:\Documents and Settings\user\Desktop\backups\backup-20051228-135820-659.inf
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user\Application Data\FACENEWBEEP\plussoaperrorobj.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user\Application Data\FACENEWBEEP\uuovstbx.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user\Application Data\FACENEWBEEP\ltnbhwrr.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user\Application Data\FACENEWBEEP\togmpbfm.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user\Application Data\FACENEWBEEP\tjzqyfwt.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Local Settings\Temp\lwllihvj.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Local Settings\Temp\sta1.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Local Settings\Temp\Inside Program.exe
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Hell-Fire\Local Settings\Temporary Internet Files\Content.IE5\IFCN8PO7\index[1].chm
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Local Settings\Temporary Internet Files\Content.IE5\YBCVAXA3\newpass2[1].htm
Dialer:Dialer.BEW Not desinfected C:\Documents and Settings\Hell-Fire\Local Settings\Temporary Internet Files\Content.IE5\K98HI3SH\access[1].cgi
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Application Data\FACENEWBEEP\Find Exit.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Application Data\FACENEWBEEP\plussoaperrorobj.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Application Data\FACENEWBEEP\zjmcxnrd.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Application Data\FACENEWBEEP\qxefatgq.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Application Data\FACENEWBEEP\uwyiobse.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\Hell-Fire\Application Data\SixthDoesHope\2 ace.exe
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Bat list.cab[Bat list.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Coal eq.cab[Coal eq.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Coal eq0.cab[Coal eq.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Find Exit.cab[Find Exit.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\LiesOnceHeart.cab[LiesOnceHeart.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\default fast.cab[default fast.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\default fast0.cab[default fast.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Find Exit0.cab[Find Exit.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\LiesOnceHeart0.cab[LiesOnceHeart.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Extra Bolt.cab[Extra Bolt.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\LiesOnceHeart1.cab[LiesOnceHeart.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Fast Play.cab[Fast Play.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Fast Play0.cab[Fast Play.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Find Exit1.cab[Find Exit.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\LiesOnceHeart2.cab[LiesOnceHeart.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Web dead.cab[Web dead.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Web dead0.cab[Web dead.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Find Exit2.cab[Find Exit.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Mode help.cab[Mode help.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\LiesOnceHeart3.cab[LiesOnceHeart.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\BalmKind.cab[BalmKind.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\BalmKind0.cab[BalmKind.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\LiesOnceHeart4.cab[LiesOnceHeart.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Find Exit3.cab[Find Exit.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Find Exit4.cab[Find Exit.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\LiesOnceHeart5.cab[LiesOnceHeart.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\MemoHold.cab[MemoHold.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\MemoHold0.cab[MemoHold.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Find Exit5.cab[Find Exit.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\Find Exit6.cab[Find Exit.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\LiesOnceHeart6.cab[LiesOnceHeart.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\2 ace.cab[2 ace.exe]
Adware:Adware/Lop Not desinfected C:\Program Files\SFerret\Archives\2 ace0.cab[2 ace.exe]
Adware:Adware/MediaTickets Not desinfected C:\eied_s7.cab[eied.inf]
Dialer:Dialer.CEN Not desinfected D:\Documents and Settings\John Vacher\My Documents\David\Halo\Forerunners\New Folder\HIYA.exe


Logfile of HijackThis v1.99.1
Scan saved at 17:27:56, on 28/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PopupsNuker:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125083285716
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5BB4E7D-F681-485E-8939-22BB82889FD9}: NameServer = 85.255.115.118 85.255.112.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe




smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 28/12/2005
The current time is: 13:59:31.39

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

wbeconm.dll
1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 15:57:16, 28/12/2005
+ Report-Checksum: BDB71AB0

+ Scan result:

C:\WINDOWS\system32\filesafer23.exe -> Hijacker.Small : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnFR2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@e-2dj6wjlyajd5mcq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@e-2dj6wjkycmcpkbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Local Settings\Temporary Internet Files\Content.IE5\YTUTKL87\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Local Settings\Temporary Internet Files\Content.IE5\SDYBKPMR\gdnFR2218[1].exe -> Downloader.Small.ayl : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Local Settings\Temporary Internet Files\Content.IE5\SDYBKPMR\sorewrists[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Local Settings\Temporary Internet Files\Content.IE5\QHK369A5\dba2218[1].exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Local Settings\Temporary Internet Files\Content.IE5\QHK369A5\gba2218[1].exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Cookies\hell-fire@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Cookies\hell-fire@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Cookies\hell-fire@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Cookies\hell-fire@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Hell-Fire\Cookies\hell-fire@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP420\A0310939.exe -> Trojan.Qhost.df : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP420\A0310940.exe -> Trojan.Favadd.an : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP420\A0310951.tlb -> Trojan.Puper.bs : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP420\A0310953.exe -> Trojan.DNSChanger.aw : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP420\A0310956.exe -> Downloader.Zlob.cw : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP422\A0311006.exe -> Trojan.DNSChanger.aw : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP422\A0311007.tlb -> Trojan.Puper.bs : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP422\A0311021.exe -> Downloader.Zlob.br : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP422\A0311022.exe -> Trojan.DNSChanger.aw : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP440\A0314503.tlb -> Trojan.Puper.bs : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP443\A0314526.exe -> Downloader.Zlob.cx : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP443\A0314532.exe -> Downloader.Zlob.br : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP443\A0314536.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP485\A0315577.tlb -> Trojan.Puper.bs : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP486\A0315602.tlb -> Trojan.Puper.bt : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP486\A0315603.exe -> Hijacker.Small : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP486\A0315619.tlb -> Trojan.Puper.bt : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP486\A0315646.tlb -> Trojan.Puper.bt : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP487\A0315664.tlb -> Trojan.Puper.bt : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP487\A0315681.tlb -> Trojan.Puper.bt : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP487\A0315699.tlb -> Trojan.Puper.bt : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP487\A0315703.exe -> Dropper.Mudrop.ao : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP487\A0315704.exe -> Downloader.Zlob.by : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP487\A0315723.tlb -> Trojan.Puper.bt : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP488\A0315760.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP488\A0315775.tlb -> Trojan.Puper.bt : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP488\A0315784.tlb -> Trojan.Puper.bt : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP488\A0315788.exe -> Downloader.Zlob.dd : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP488\A0315800.tlb -> Downloader.Zlob.de : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP488\A0315813.tlb -> Downloader.Zlob.de : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP488\A0315827.tlb -> Downloader.Zlob.de : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP489\A0315851.tlb -> Downloader.Zlob.de : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP489\A0315863.tlb -> Downloader.Zlob.de : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP489\A0315875.tlb -> Downloader.Zlob.de : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP489\A0315879.exe -> Dropper.Mudrop.ao : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP490\A0315891.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP490\A0315907.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP490\A0315910.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP490\A0315922.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP490\A0315942.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP490\A0315954.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP490\A0315958.exe -> Downloader.Zlob.dj : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP490\A0315970.tlb -> Downloader.Zlob.dj : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP491\A0315984.tlb -> Downloader.Zlob.dj : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP491\A0316001.tlb -> Downloader.Zlob.dj : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP491\A0316020.tlb -> Downloader.Zlob.dj : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP491\A0316032.tlb -> Downloader.Zlob.dj : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP491\A0316036.exe -> Downloader.Zlob.dj : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP491\A0316047.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP492\A0316067.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP492\A0316084.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0316434.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0316444.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0316457.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0316510.TLB -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0316526.TLB -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0316535.TLB -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0317536.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0317549.tlb -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0317552.exe -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP494\A0317563.TLB -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP495\A0317577.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP495\A0317635.TLB -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP495\A0317644.exe -> Downloader.Zlob.dd : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP495\A0317645.EXE -> Downloader.Zlob.dk : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP495\A0317661.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{8D16E210-8439-4846-B107-DB19120BA152}\RP495\A0317669.dll -> Downloader.SpyAxe : Cleaned with backup


::Report End


many thanks.
and Im sorry for posting the reports in your pm.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 PM

Posted 28 December 2005 - 12:41 PM

Hi,

We're not finished here yet.

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete next folders and files:

C:\Documents and Settings\All Users\Application Data\Inter Warn City Data <== folder
C:\Documents and Settings\user\Application Data\FACENEWBEEP <== folder
C:\Documents and Settings\Hell-Fire\Application Data\FACENEWBEEP <== folder
C:\Documents and Settings\Hell-Fire\Application Data\SixthDoesHope <== folder
C:\Program Files\SFerret\Archives\ <== everything present in this folder
C:\WINDOWS\system32\drivers\zpmodemnt.sys
C:\WINDOWS\system32\extrac16.exe
C:\WINDOWS\system32\ustart.exe
C:\WINDOWS\inf\conscorr.inf
C:\eied_s7.cab
\Documents and Settings\John Vacher\My Documents\David\Halo\Forerunners\New Folder\HIYA.exe

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O15 - Trusted IP range: 81.222.131.59 (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5BB4E7D-F681-485E-8939-22BB82889FD9}: NameServer = 85.255.115.118 85.255.112.12
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)


If you see an entry as well in your O4 lines in hijackthis, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters) or starting with hg... for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
Check it as well. If not sure, leave it and only check the ones I asked you to check


Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile that will open (C:\fixwareout\report.txt), along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 JohnVacher

JohnVacher
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 28 December 2005 - 01:00 PM

When I follow this instruction: * Download DelDomains.inf and save it to your desktop.

IE goes to the following webpage


http://www.mvps.org/winhelp2002/DelDomains.inf

and this contains the following text. I cant see what to do with it.


; DelDomains.inf © 11-28-04 | Revised 10-29-05
; Created by: Mike Burgess Microsoft MVP
; http://mvps.org/winhelp2002/
;
; Warning: Deletes all entries in the Restricted & Trusted Zone list
; http://mvps.org/winhelp2002/restricted.htm
;
; To execute this file: in Explorer - right-click (this file)
; Select Install from the Menu.
; Note: you will not see any onscreen action.

[version]
signature="$CHICAGO$"

[DefaultInstall]
DelReg=DelTemps
AddReg=AddTemps

[DelTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

; Recreate the keys to avoid a restart

[AddTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 PM

Posted 28 December 2005 - 01:06 PM

Hi, you misread my previous instructions.
You had to download deldomains.inf and save it to your desktop and rightclick the deldomains.inf and choose install

Are you using Firefox? Then you have to rightclick the link and choose: save link as.. and save it to your desktop.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 JohnVacher

JohnVacher
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 28 December 2005 - 01:40 PM

I ran Deldomains.
Then deleted all the files listed.
Then I downloaded fixwareout and ran it. The following came up.


Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,6c,77,69,6c,\
20,53,6f,66,74,77,61,72,65,5c,41,76,61,73,74,34,5c,61,73,77,4d,6f,6e,56,64,\
2e,64,6c,6c,00,00
.....
End vxd check
.....
please post this at the forum




therefore it didnt reboot, or give further prompts

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 PM

Posted 28 December 2005 - 02:26 PM

Ok, your autoexec.nt is missing/corrupted, so to fix that issue, perform next:

If you are having XP home download and install next:
http://homepage.ntlworld.com/spencer.greys...XPHomeFiles.exe

If you are having XP Professional download and use next:
http://homepage.ntlworld.com/spencer.greys.../XPProfiles.exe

Reboot afterwards and run fixwareout again.

Edited by miekiemoes, 28 December 2005 - 02:27 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 JohnVacher

JohnVacher
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 29 December 2005 - 07:47 AM

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool





Logfile of HijackThis v1.99.1
Scan saved at 12:45:17, on 29/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PopupsNuker:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125083285716
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 PM

Posted 29 December 2005 - 07:52 AM

Hello,

I see a clean log. How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 JohnVacher

JohnVacher
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 29 December 2005 - 08:08 AM

It seems to be running fine.

Many thanks for your kind assistance, and for being patient with me.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 PM

Posted 29 December 2005 - 08:13 AM

Glad I could help.
Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of some leftovers if still present.
If you don't have those programs yet, you can find the downloadlocations in my sig.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2!

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 PM

Posted 02 January 2006 - 06:24 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users