Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Safety Defender.com Is My Homepage


  • This topic is locked This topic is locked
8 replies to this topic

#1 donnieaxl23

donnieaxl23

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 27 April 2006 - 12:34 AM

The only real problem I have is the homepage, browsing in general seems to be working fine. Homepage say this.....

Attention! Your system is under control of remote computer with IP address 227.4.167.118. The remote computer has access to the following folders on your PC:
- \WINDOWS\System32
- \Program Files\Internet Explorer
- \My Documents
- Drive C:\ files
Click here to download official anti-spyware software

Your private info is collected by W32.Sinnaka.A@mm
Your IP address: 67.168.33.122

Your Country: US, United States

They know you're using: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts-MyWay; SV1)

Operation System: OS Windows

Risk status for futher investigation: VERY HIGH RISK

Time of investigation: Wed Apr 26 22:28:29 PDT 2006

HERE IS MY LOG........

Logfile of HijackThis v1.99.1
Scan saved at 10:24:37 PM, on 4/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Picture Ace Lite\PictureAceLite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.cnn.com"); (C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\prefs.js)
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hp90F5.tmp
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [3mR] C:\documents and settings\keith\local settings\temp\3mR.exe
O4 - HKLM\..\Run: [pFZE] C:\documents and settings\keith\local settings\temp\pFZE.exe
O4 - HKLM\..\Run: [HhMsNq] C:\documents and settings\keith\local settings\temp\HhMsNq.exe
O4 - HKLM\..\Run: [Saydvnev] C:\documents and settings\keith\local settings\temp\Saydvnev.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Keith\Application Data\othb.exe
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Image - res://C:\Program Files\Picture Ace Lite\PictureAceLite.exe/130
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O9 - Extra 'Tools' menuitem: Picture Ace Lite - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O15 - Trusted Zone: v4.windowsupdate.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097088313265
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...640/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:45 AM

Posted 27 April 2006 - 01:04 AM

Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Click here to download System Security Suite. Extract it from the zip file into a folder.

Click here to download ewido security suite - it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Do NOT run a scan yet. Exit the program.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 donnieaxl23

donnieaxl23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 27 April 2006 - 04:32 PM

SmitFraudFix v2.36

Scan done at 14:30:29.90, Thu 04/27/2006
Run from C:\Documents and Settings\Keith\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Keith\Application Data


Start Menu





Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!! Attention, follow keys are not inevitably infected !!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:45 AM

Posted 27 April 2006 - 11:31 PM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Launch ewido again:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Open System Security Suite and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so.

Please post the new rapport.txt log along with a new HijackThis Log and the Ewido Log in your next reply.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 donnieaxl23

donnieaxl23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 29 April 2006 - 03:04 AM

Problem Solved! Thanks so much for the help. Below are the logs, is there anything I can do to prevent this in the future?

SmitFraudFix v2.36

Scan done at 22:46:43.15, Fri 04/28/2006
Run from C:\Documents and Settings\Keith\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

Killing process


Deleting infected files

C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

End

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:45:54 PM, 4/28/2006
+ Report-Checksum: 5A7934DC

+ Scan result:

:mozilla.7:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\cookies.txt -> TrackingCookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@counter1.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@counter12.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@counter14.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@counter3.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@counter6.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@cz8.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@ehg-247internet.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@ehg-espn.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@ehg-newscientist.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@paycounter[2].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@sexlist[2].txt -> TrackingCookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Keith\Cookies\keith@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\VirusScan\quarantine\nvctrl.exe.Vir.20 -> Downloader.Zlob.mg : Cleaned with backup
C:\WINDOWS\system32\dcomcfg.exe -> Downloader.Zlob.mj : Cleaned with backup


::Report End

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:45 AM

Posted 29 April 2006 - 12:57 PM

Post the final HJT log.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 donnieaxl23

donnieaxl23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 29 April 2006 - 01:35 PM

Sorry I forgot to post it, here it is......

What should I do in the future to prevent this?

Logfile of HijackThis v1.99.1
Scan saved at 11:32:24 AM, on 4/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Keith\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.cnn.com"); (C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Keith\Application Data\Mozilla\Profiles\default\xmbuxoem.slt\prefs.js)
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [3mR] C:\documents and settings\keith\local settings\temp\3mR.exe
O4 - HKLM\..\Run: [pFZE] C:\documents and settings\keith\local settings\temp\pFZE.exe
O4 - HKLM\..\Run: [HhMsNq] C:\documents and settings\keith\local settings\temp\HhMsNq.exe
O4 - HKLM\..\Run: [Saydvnev] C:\documents and settings\keith\local settings\temp\Saydvnev.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Keith\Application Data\othb.exe
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Image - res://C:\Program Files\Picture Ace Lite\PictureAceLite.exe/130
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O9 - Extra 'Tools' menuitem: Picture Ace Lite - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O15 - Trusted Zone: v4.windowsupdate.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097088313265
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...640/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:45 AM

Posted 01 May 2006 - 01:29 AM

You have picked up another infection. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [3mR] C:\documents and settings\keith\local settings\temp\3mR.exe
O4 - HKLM\..\Run: [pFZE] C:\documents and settings\keith\local settings\temp\pFZE.exe
O4 - HKLM\..\Run: [HhMsNq] C:\documents and settings\keith\local settings\temp\HhMsNq.exe
O4 - HKLM\..\Run: [Saydvnev] C:\documents and settings\keith\local settings\temp\Saydvnev.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Keith\Application Data\othb.exe


Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

C:\documents and settings\keith\local settings\temp\3mR.exe
C:\documents and settings\keith\local settings\temp\pFZE.exe
C:\documents and settings\keith\local settings\temp\HhMsNq.exe
C:\documents and settings\keith\local settings\temp\Saydvnev.exe
C:\Documents and Settings\Keith\Application Data\othb.exe

Exit Explorer and reboot into Normal Mode. Rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:45 AM

Posted 07 May 2006 - 03:30 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a Moderator. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users