Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
4 replies to this topic

#1 Wave

Wave

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 25 February 2006 - 12:46 AM

Right now my IE Homepage has been changed to something I never changed it to and my SpyBot Search and Destroy is showing a 'Smitfraud -C.' entry. After deleting the entry, it still shows up after I scan my computer again!

Here's the HijackThis log:

-------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:36:17 PM, on 24/02/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\shimgvw.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\ruier\win32\Custom.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\htpatch.exe
C:\ruier\win32\pphidpad.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\ruier\win32\DRAWOBJ.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\TEMP\My Documents\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\ruier\win32\PPHBUF.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\196_150_ni.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TEMP\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F3 - REG:win.ini: run=C:\ruier\win32\custom.exe
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp8509.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [PPHIDPAD] C:\ruier\Win32\pphidpad.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Documents and Settings\TEMP\My Documents\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [wdigest] C:\WINDOWS\System32\wdigest.exe
O4 - HKCU\..\Run: [wing32] C:\WINDOWS\System32\wing32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [Kugoo] C:\PROGRA~1\KuGoo\kugoo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?8726c317dd994e5784981e33dc4a9eb1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?8726c317dd994e5784981e33dc4a9eb1
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neopets.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c11.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/16ac499608be41...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramework...ro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: shimgvw - Unknown owner - C:\WINDOWS\System32\shimgvw.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:26 AM

Posted 25 February 2006 - 08:10 AM

Hello,

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/network.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Please download ewido security suite; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Please download ATF Cleaner by Atribune.
Do not run it yet.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp8509.tmp
O4 - HKCU\..\Run: [wdigest] C:\WINDOWS\System32\wdigest.exe
O4 - HKCU\..\Run: [wing32] C:\WINDOWS\System32\wing32.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [Kugoo] C:\PROGRA~1\KuGoo\kugoo.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c11.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/16ac499608be41...ip/RdxIE601.cab
O23 - Service: shimgvw - Unknown owner - C:\WINDOWS\System32\shimgvw.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\196_150_ni.exe
C:\WINDOWS\System32\wdigest.exe
C:\WINDOWS\System32\wing32.exe

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply along with a new HijackThis Log, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases)
and the Ewido Log by using Add Reply.

Extra addition..

I want to know what it is, so can you go to next site:
http://virusscan.jotti.org/

On top you'll find: File to upload and scan.
Now browse to the next file:

C:\WINDOWS\System32\shimgvw.exe

Click submit and let it scan.
Post the results also in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Wave

Wave
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 26 February 2006 - 10:43 PM

I have some other problems that are showing up now, although they might've been here already before: IE keeps on trying to open by itself, this 'Online Security Guide' and 'Troubleshooting Help' program/icon appears on my computer even after I delete it and reboot, & an exclamation icon appears in the right corner of my taskbar that says how I'm infected by something and I should click on it to get rid of the infection!

I couldn't find the smitfiles.txt that you wanted me to post the contents of! I also couldn't find the C:\WINDOWS\System32\shimgvw.exe you wanted me to scan with the file scanner!
PandaScan (below)
-----------------------------
Incident Status Location

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt[]
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\TEMP\Application Data\tvmcwrd.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\TEMP\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\TEMP\Desktop\smitRem.exe[Process.exe]
Adware:adware/securityerror Not disinfected C:\Documents and Settings\TEMP\Favorites\Antivirus Test Online.url
Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\ProSiteFinder\fcew8sjy.DLL
Adware:Adware/TopRebates Not disinfected C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
Virus:Trj/Downloader.FNP Not disinfected C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll
Adware:Adware/WeatherCast Not disinfected C:\WINDOWS\Entocalsm.fhf\whenu.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/SpywareStrike Not disinfected C:\WINDOWS\system32\1024\ld7AA6.tmp
Adware:Adware/SpywareStrike Not disinfected C:\WINDOWS\system32\1024\ldB193.tmp
Virus:Trj/Qhost.T Not disinfected C:\WINDOWS\system32\host.exe
Virus:Trojan Horse Not disinfected C:\WINDOWS\system32\id114.exe
Adware:adware/virtualbouncer Not disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Spyware:Spyware/Spydeleter Not disinfected C:\WINDOWS\system32\sd.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/WeatherCast Not disinfected C:\WINDOWS\Urfufjacmt.one\whenu.exe

--------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:26:41 PM, on 26/02/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\ruier\win32\Custom.exe
C:\WINDOWS\htpatch.exe
C:\ruier\win32\pphidpad.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\VM_STI.EXE
C:\ruier\win32\DRAWOBJ.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\TEMP\My Documents\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\ruier\win32\PPHBUF.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F3 - REG:win.ini: run=C:\ruier\win32\custom.exe
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp765A.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [PPHIDPAD] C:\ruier\Win32\pphidpad.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Documents and Settings\TEMP\My Documents\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [wdigest] C:\WINDOWS\System32\wdigest.exe
O4 - HKCU\..\Run: [wing32] C:\WINDOWS\System32\wing32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [Kugoo] C:\PROGRA~1\KuGoo\kugoo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?8726c317dd994e5784981e33dc4a9eb1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?8726c317dd994e5784981e33dc4a9eb1
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neopets.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c11.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/16ac499608be41...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramework...ro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: shimgvw - Unknown owner - C:\WINDOWS\System32\shimgvw.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:57:21 PM, 25/02/2006
+ Report-Checksum: BBAFFA5B

+ Scan result:

HKLM\SOFTWARE\Classes\SWRT01.RT -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1214440339-1659004503-725345543-1003\Software\Bundles -> Adware.SecondThought : Cleaned with backup
C:\$NtUninstallQ1494$\3721.bat -> Hijacker.StartPage : Cleaned with backup
C:\$NtUninstallQ1494$\sp4custom.dll -> Hijacker.StartPage : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\01234567\f23648[1].hta -> Dropper.Inor.a : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\01234567\wzsex10x[1].exe -> Trojan.Dialer.a : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\6VABQ5A3\bannergifts11[2].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\6VABQ5A3\bannergifts[2].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\G9IR0TUZ\wzsex10x[1].exe -> Trojan.Dialer.a : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\GH4PAR0P\f23648[1].hta -> Dropper.Inor.a : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\GH4PAR0P\mankin[2] -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\GJLBYE79\index[12].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\O5MJCT2N\logos[1].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\O5MJCT2N\logos[2].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\O5MJCT2N\logos[3].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\SPYB896J\id4[2].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\SPYB896J\id4[3].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\SPYB896J\id4[4].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\SPYB896J\index[8].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\SPYB896J\index[9].html -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\SPYB896J\super_dcb[2] -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\W1Q3OXAZ\lil_inuyasha_gurl[2] -> Downloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\Z6S3NDCH\Alexa7[1].cab/AlxRes.dll -> Adware.AlexaBar : Cleaned with backup
:mozilla.10:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.11:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.23:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.36:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.44:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.45:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.59:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.60:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.63:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.81:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.82:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.83:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.87:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.88:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.89:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.90:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.139:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.140:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.141:C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\o5b77evu.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\TEMP\Local Settings\Temp\~9072814883.tmp -> Downloader.Siboco : Cleaned with backup
C:\Program Files\ProSiteFinder\puvqk0p0.DLL -> Adware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\zyyovm9i.DLL -> Adware.ClearSearch : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Downloader.Small.py : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1941.tmp -> Downloader.Dyfuca.dp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1942.tmp -> Downloader.Dyfuca.dp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1944.tmp -> Downloader.IstBar : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1955.tmp -> Adware.VirtualBouncer : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp -> Downloader.Dyfuca.ei : Cleaned with backup
C:\run.bat -> Hijacker.StartPage : Cleaned with backup
C:\WINDOWS\bundles\2504040824.exe -> Adware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\bundles\bs5-vwqouc.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\system32\dxmpp.dll -> Not-A-Virus.Hoax.Win32.Renos.v : Cleaned with backup
C:\WINDOWS\system32\mssearchnet.exe -> Hijacker.SpyAxe : Cleaned with backup
C:\WINDOWS\system32\nvctrl.exe -> Hijacker.SpyAxe : Cleaned with backup
C:\WINDOWS\system32\shimgvw.exe -> Downloader.Reqlook.b : Cleaned with backup
C:\WINDOWS\system32\SplWbr.dlltmp -> Dropper.Small.abe : Cleaned with backup
C:\WINDOWS\system32\test.bmp -> Downloader.Reqlook.d : Cleaned with backup
C:\WINDOWS\system32\TFTP1300 -> Worm.Lovesan.a : Cleaned with backup
C:\WINDOWS\system32\thinInstOIT61MegaV2s.dll -> Dropper.Small.abe : Cleaned with backup
C:\WINDOWS\xOCTFQVINAH.exe -> Downloader.Agent.am : Cleaned with backup


::Report End

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:26 AM

Posted 27 February 2006 - 04:10 AM

Hello,

You didn't perform all my steps as i asked you. I see no log from smitrem here either and the Ewido log and panda log shows me the files normally smitrem deletes are still present.

Also, you probably forgot to run ATF Cleaner, so let's start all over again.
You also didn't check and fix the entries in hijackthis as I asked you, you only checked and fixed the O1 entries.

I am not sure either you performed certain tasks in safe mode as I asked you.
You also didn't update to Service Pack 1.
I asked you to perform steps in the right order without missing any step. This is with a reason. If you don't do this, it will fail all the time.

Go To start > controlpanel > software and uninstall: PrositeFinder

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp765A.tmp
O4 - HKCU\..\Run: [wdigest] C:\WINDOWS\System32\wdigest.exe
O4 - HKCU\..\Run: [wing32] C:\WINDOWS\System32\wing32.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [Kugoo] C:\PROGRA~1\KuGoo\kugoo.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c11.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/16ac499608be41...ip/RdxIE601.cab
O23 - Service: shimgvw - Unknown owner - C:\WINDOWS\System32\shimgvw.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\ProSiteFinder <== folder
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll
C:\WINDOWS\Entocalsm.fhf <== folder
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\inf\conscorr.inf
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\system32\1024 <== folder
C:\WINDOWS\system32\host.exe
C:\WINDOWS\system32\id114.exe
C:\WINDOWS\system32\INNERADINSTALL.LOG
C:\WINDOWS\system32\sd.exe
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\Urfufjacmt.one <== folder

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply along with a new HijackThis Log, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases)
and the Ewido Log by using Add Reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:26 AM

Posted 06 March 2006 - 05:24 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users