Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijacked


  • Please log in to reply
8 replies to this topic

#1 golding

golding

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 April 2006 - 02:44 PM

Hi there,

When I try follow links provided by google a diverter kicks in and redirects me to a different website. I can visually see the rediretor come into play in the bottom left of the Internet Explorer. An IP address 85.255.117.78 is what appears to relocate me, Should I trace the IP's service provider and inform them of the behaviour of this IP.

To remove this I have tried booting in safe more and running both ewido and adaware and also cleared all temp net files and reset internet explorer, I have also checked my host file and this looks fine, I'm posting my HJT log below.

Thanks in advance. Could you also tell me what sections were causing the fault as by my initial amateur glance there didn't appear to be any.

Logfile of HijackThis v1.99.1
Scan saved at 18:04:18, on 23/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Jyve\Jyve\Jyve.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Callum Golding CGOLDNET
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [dmgyo.exe] C:\WINDOWS\System32\dmgyo.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [Jyve] C:\Program Files\Jyve\Jyve\Jyve.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {02E09B2E-2A03-4572-9291-69900C068564} (LCSim Control) - http://www.learnitcorp.com/cabs/lcsim.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136845840002
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:47 AM

Posted 23 April 2006 - 04:40 PM

Hello golding,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [dmgyo.exe] C:\WINDOWS\System32\dmgyo.exe
O4 - HKCU\..\Run: [Jyve] C:\Program Files\Jyve\Jyve\Jyve.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

David

#3 golding

golding
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 29 April 2006 - 12:17 PM

Apolagies for such a delay in my response I was under the impression that there was email notifications. I have deleted the items and run fixwareout. Please find the two log files below.

Logfile of HijackThis v1.99.1
Scan saved at 18:05:13, on 29/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Callum Golding CGOLDNET
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {02E09B2E-2A03-4572-9291-69900C068564} (LCSim Control) - http://www.learnitcorp.com/cabs/lcsim.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136845840002
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)



Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\bvcmd
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmcvb.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

Search by size and names...

Misc files

Checking for older varients covered by the Rem3 tool


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMCVB.EXE 44,032 2001-08-23

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:47 AM

Posted 29 April 2006 - 04:08 PM

Hey there,

Please manually delete this file:
C:\WINDOWS\SYSTEM32\DMCVB.EXE

* Please run Panda's ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your details when asked.
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report along with a new Hijackthis log.
David

#5 golding

golding
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 May 2006 - 11:04 AM

Hello again. I followed your instructions, and the results are below. Can I ask if theres any reason in particular that you use Panda's ActiveScan? Is it the best virus scanner?

Is the free AVG anti-virus worth downloading?

Cheers for all the help so far.

Callum


Incident Status Location

Virus:Trj/Goldun.EJ Disinfected C:\!KillBox\avpe32.dll
Virus:Trj/Goldun.EJ Disinfected C:\!KillBox\qz.dll
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Callum.Golding\Application Data\Mozilla\Firefox\Profiles\7oad87zl.default\cookies.txt[.go.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Callum.Golding\Application Data\Mozilla\Firefox\Profiles\7oad87zl.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@2o7[1].txt
Spyware:Cookie/7search Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@7search[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@adrevolver[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@as-us.falkag[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@burstnet[2].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@c.fsx[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@centrport[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@com[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@cs.sexcounter[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@questionmarket[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@statcounter[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum.golding@xmts[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Callum.Golding\Cookies\callum[8].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Callum.Golding\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Spyware:Cookie/FastClick Not disinfected C:\FOUND.000\FILE0001.CHK
Spyware:Cookie/2o7 Not disinfected C:\FOUND.000\FILE0002.CHK
Spyware:Cookie/Findwhat Not disinfected C:\FOUND.001\FILE0015.CHK
Spyware:Cookie/cs.sexcounter Not disinfected C:\FOUND.001\FILE0070.CHK
Possible Virus. Not disinfected C:\Program Files\Orb Networks\Orb\bin\OrbStats.dll
Possible Virus. Not disinfected C:\Program Files\v4s_beta.exe[setup.exe][OrbStats.dll]
Adware:Adware/WinHound Not disinfected C:\Recycled\Q330995.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard31.dat
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\LastGood\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq

#6 golding

golding
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 May 2006 - 05:05 PM

I also looked through my running processes and pick up on this inetinfo.exe, I tried ending it but then another process kicks in called iisreset.exe which obviously restarts the process. I did some research and it appears this process is related to Trojan.W32.RONTOKBRO. Obviously not good, I don't have much of an idea as where to go from here. I'm assuming restarting in safe mode and running ewido, adaware and spybot is not enough.

Thanks

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:47 AM

Posted 02 May 2006 - 12:10 PM

Hey there,

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file: C:\Program Files\Orb Networks\Orb\bin\OrbStats.dll
Click Open
Please let me know the results.

Please do the same for the file below:
C:\Program Files\v4s_beta.exe

David

#8 golding

golding
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 02 May 2006 - 12:36 PM

Hey there,

C:\Program Files\v4s_beta.exe This is a legit exe program I downloaded and is Voicemail4Skype, but I scanned anyway and it was shown as ok.

The file below I also scanned and was legit.

C:\Program Files\Orb Networks\Orb\bin\OrbStats.dll

Callum

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:47 AM

Posted 03 May 2006 - 10:26 AM

Hey there, we've just got a few small things to clear up:

* Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

* Please empty this folder:
C:\!KillBox

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Please manually delete the following files/folders:

C:\Recycled\Q330995.exe
C:\WINDOWS\Downloaded Program Files\f3initialsetup1
C:\WINDOWS\keyboard31.dat
C:\WINDOWS\uniq <--folder

* Go to start > run and type regsvr32 occache.dll

The inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services. This program is important for the stable and secure running of your computer and should not be terminated. I'm sure when you googled the entry you saw the virus warnings but the location of the file is key - it is in:
C:\WINDOWS\System32\inetsrv <--which is legit.

Please reboot and let me know how the computer is running.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users