Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jacked By Securitybulletin.com


  • Please log in to reply
5 replies to this topic

#1 essdot

essdot

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 26 April 2006 - 04:14 AM

Hi

Some days ago my Internet Explorer wanted to set the default homepage to prosearching.com. Running a few scans with AdAware, SpyBot and my own Norton AntiVirus seemed to take care of the problem but instead it got replaced by Securitybulletin.com as default homepage.

I also have a green wheelchair-logo as discribed in the other posts by securitybulletin-attacked users in the taskbar on the other accounts than my own on this (shared family) computer.

kindly,
Essdot

Logfile of HijackThis v1.99.1
Scan saved at 11:00:25, on 2006-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program\Java\jre1.5.0_04\bin\jusched.exe
C:\Program\iRiver\HSeries\iHPDetect.exe
C:\Program\Creative\SBLive\Diagnostics\diagent.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe
C:\Program\SmartTrust\SmartTrust

Personal\Csp\SmartCertmover.exe
C:\Program\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program\Delade filer\Symantec Shared\Security

Console\NSCSRVCE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL

= prosearching.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL

= prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local

Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local

Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} -

C:\WINDOWS\system32\hpD936.tmp
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus -

{C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [diagent]

C:\Program\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck]

%systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iHP-100]

C:\Program\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe

-minimize
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade

filer\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]

C:\Program\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run:

[BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite]

C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk =

C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search -

res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://c:\program\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links -

res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel

- res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -

res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://c:\program\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) -

{85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online

Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite -

{B863453A-26C3-4e1f-A54D-A2CD196348E9} -

C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite -

{B863453A-26C3-4e1f-A54D-A2CD196348E9} -

C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall

Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} -

http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall

Control) -

http://a840.g.akamai.net/7/840/537/2004061...housecall.trend

micro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} -

http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera

Server Control) - http://200.72.68.149:18002/wg_webeye.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web

Installer Class) -

http://www.freedom.net/viruscenter/onlinev...check/cabs/cssw

eb.cab
O18 - Protocol: msnim -

{828030A1-22C1-4009-854F-8E305202313F} -

"C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon -

C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwvw32 -

C:\WINDOWS\SYSTEM32\winwvw32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file

missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer

Associates International Inc. -

C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - C:\Program\Delade filer\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -

Symantec Corporation - C:\Program\Delade filer\Symantec

Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative

Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program\Delade

filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer

Associates -

C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst

(navapsvc) - Symantec Corporation - C:\Program\Norton

AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation -

C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service

(NPFMntor) - Symantec Corporation - C:\Program\Norton

AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService)

- Symantec Corporation - C:\Program\Delade filer\Symantec

Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PestPatrol Remote - Computer Associates

International, Inc. - C:\Program\Delade

filer\PestPatrol\ppRemoteService.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec

Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) -

SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -

Symantec Corporation - C:\Program\Delade filer\Symantec

Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation -

C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation -

C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:34 PM

Posted 28 April 2006 - 07:13 AM

Hello Essdot,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

1. Open HijackThis, click 'Config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:C:\WINDOWS\SYSTEM32\winwvw32.dll
Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/OK
Your system should reboot now.

2. Download roguescanfix.exe to your desktop.
Doubleclick roguescanfix.exe to install.
This will create a new folder on your desktop called roguescanfix.
Do not use this yet!

3. Run HijackThis and check the following entries:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winwvw32.dll

Close all open windows EXCEPT HIJACKTHIS and click Fix Checked. Close HijackThis.

4. Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
5. Open the roguescanfix folder and click: Run.bat
This tool needs internet connection so it can download an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
Let the tool perform its job.
The icons will disappear temporarely from your desktop, and reappear. This is normal.
Wait until the message Completed script execution is displayed, and click OK.
Click Exit to close down bfu.
Finally: click OK to start the Spyfalcon and/or Spywarequake uninstaller, and click uninstall.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES.

6. Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

7. Post the contents of the Panda scan report in your next reply along with a new HijackThis Log,
by using Add Reply.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 essdot

essdot
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 07 May 2006 - 01:33 PM

Ok, i've been out of town for a while but finally got around to following your helpful steps. The problems, as far as something trying to change my startup homepage, still remains.

The popups appearing are saying:
--
Attention! Win32.HS.m2 SpyWare has just overcome default security software on Your PC. Your personal information and PC safety is in critical danger.
To clear Your PC and get rid of dangerous virus you need paid security system patch called "AD-PROJECT".
By clicking "Continue" You will be taken to official developer's page, where you may download the patch.

--

and

--
Critical System Error

Please read this message carefully.

Your PC is infected by spyware. Spyware and other unwanted software refers to programs that perform certain tasks on your computer, typically without your consent. This can iclude installing pop-up advertising or collecting your personal information. Anti-spyware tools can only help rid your computer of spyware.

Click "OK" to get software and special offers on antivirus software

--


Had a problem with Step 3, the scan showed the notice:

---
"For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HiJackThis may NOT be able to fix this. If that happen, you need to edit the fix yourself. To do this, click start, run and type:
"notepad "C:\WINDOWS\System32\drivers\etc\hosts"
and press OK.
---

that gave me the following txt-file:
--
# a bunch of information about hosts and examples with #'s in front of them followed by:

127.0.0.1 localhost
--

Also ran into problems with Step 5:
"Finally: click OK to start the Spyfalcon and/or Spywarequake uninstaller, and click uninstall.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES."


Where do I find the Spyfalcon and/or Spywarequake uninstallers? No such files appeared in the Rougescanfix folder at least.


Panda ActiveScan report gave three warnings:
---------

Potentially unwanted tool:Application/Processor Not disinfected C:\Datub\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Datub\smitRem.exe[smitRem/Process.exe]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administratör\Cookies\administratör@hitbox[2].txt

---------

and this is the new logfile:

-----------

Logfile of HijackThis v1.99.1
Scan saved at 20:08:22, on 2006-05-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe
C:\Program\iRiver\HSeries\iHPDetect.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Creative\SBLive\Diagnostics\diagent.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpE0CD.tmp (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [diagent] C:\Program\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iHP-100] C:\Program\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://200.72.68.149:18002/wg_webeye.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlinev...cabs/cssweb.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwvw32 - winwvw32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program\Delade filer\pestpatrol\ppRemoteService.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe


Thank you once again
Essdot

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:34 PM

Posted 07 May 2006 - 04:03 PM

Hello Essdot,

Don't worry about not finding those uninstallers, they may already be gone.

The smitRem tool you keep here : C:\Datub\smitRem, will not be useful.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

1. Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

2. Please download ewido security suite; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

3. Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
4. Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8.
A menu should come up where you will be given the option to enter Safe Mode.

5. Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart again manually.
6. Reboot into safe mode

7. Run HijackThis and check the following entries, if still present:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O2 - BHO: (no name) - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpE0CD.tmp (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: winwvw32 - winwvw32.dll (file missing)

Close all open windows EXCEPT HIJACKTHIS and click Fix Checked. Close HijackThis.

8. Run Ewido anti-malware:
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • Let ewido remove anything it finds.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
9. Reboot your PC.

10. Post the contents of the ewido log in your next reply along with a new HijackThis Log,
the report from Smitfraud fix, wich you can find here: C:\rapport.txt, by using Add Reply.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 essdot

essdot
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 08 May 2006 - 03:02 AM

Hi

Followed all the steps and the problem seems to have been solved.

Here are the rapports:


HiJackThis log:

--
Logfile of HijackThis v1.99.1
Scan saved at 09:56:00, on 2006-05-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program\iRiver\HSeries\iHPDetect.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Creative\SBLive\Diagnostics\diagent.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [diagent] C:\Program\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://200.72.68.149:18002/wg_webeye.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlinev...cabs/cssweb.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program\Delade filer\pestpatrol\ppRemoteService.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

--

Ewido log:

--
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 08:38:25, 2006-05-08
+ Report-Checksum: 72300FA

+ Scan result:

C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Alejandro Zamora\Cookies\alejandro zamora@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Gladys Golborne\Cookies\gladys golborne@ehg-sonyeu.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Orito\Cookies\orito@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Orito\Cookies\orito@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Orito\Cookies\orito@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Orito\Cookies\orito@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc170.txt -> TrackingCookie.Com : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc18.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc196.txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc201.txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc303.txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc394.txt -> TrackingCookie.Popularix : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc397.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc42.txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc538.txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc56.txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc577.txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc65.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-757298511-3757435101-1155154078-1012\Dc70.txt -> TrackingCookie.Adtech : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\cssweb.dll -> Adware.CSSWeb : Cleaned with backup
C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\temp\win3B5.tmp.exe -> Downloader.IstBar.eq : Cleaned with backup
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup


::Report End


--

and the Smitfraud fix:

--

SmitFraudFix v2.40

Scan done at 0:30:13,17, 2006-05-08
Run from C:\Documents and Settings\Administrat”r\Skrivbord\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End


--

Much love,
Essdot

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:34 PM

Posted 08 May 2006 - 04:02 AM

Hello Essdot,

Your log looks nearly clean now. :thumbsup:

Fix this entry using HijackThis : R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
You can remove Roguescanfix and SmitFraudFix from your PC.

-----------------

Below I have included some recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously ; these few simple steps can stave off the vast majority of spyware problems.

1. Please navigate to http://windowsupdate.microsoft.com/ on a regular basis and download all the "critical updates" for Windows, including the latest version of Internet Explorer.
This can patch many of the security holes through which attackers can gain access to your computer.

2. In order to protect yourself better against spyware, you should consider installing and running some of the following free programs:Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

IE/Spyad
Places over 5000 dubious websites and domains in your IE's restricted zone.
Make sure to keep your antispyware programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3. Please consider using an alternate browser. Mozilla's Firefox browser is very good and more secure than Internet Explorer, immune to almost all known browser hijackers, and also has a built-in popup blocker (as an added benefit!) . If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed
Hopefully this should take care of your problems!

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users