Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Logfile


  • This topic is locked This topic is locked
6 replies to this topic

#1 keylargo

keylargo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 02 May 2006 - 08:08 AM

I followed the forum guidelines for procedures before posting a hjt logfile, but I'm still infected. I also tried (more than once) the reglite(rename registry key)/csw/ad-aware/spybot/panda combination, to no avail.

Note, if it helps, that I never do spot a registry value (and thus hidden dll name) in the AppInit_DLLs key.

Thanks in advance for your help.



Logfile of HijackThis v1.99.1
Scan saved at 9:02:11 AM, on 02/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\dcomcfg.exe
D:\WINDOWS\System32\atmclk.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - D:\WINDOWS\System32\hp74B3.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:40 AM

Posted 02 May 2006 - 01:35 PM

Hello,

I followed the forum guidelines for procedures before posting a hjt logfile, but I'm still infected. I also tried (more than once) the reglite(rename registry key)/csw/ad-aware/spybot/panda combination, to no avail.

Note, if it helps, that I never do spot a registry value (and thus hidden dll name) in the AppInit_DLLs key.


Not sure where you got this, but you are trying to perform things here which are not related at all with what you are dealing.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Don't use it yet.
Don't download this to your C:\ as you did with hijackthis, but to your D:\, because the problem is located on your D:\

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - D:\WINDOWS\System32\hp74B3.tmp
O4 - Startup: PowerReg Scheduler.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; I need that log afterwards.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply along with a new HijackThis Log,
the contents of rapport.txt which is present on your Homedrive (C:\ in most cases) by using Add Reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 keylargo

keylargo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 02 May 2006 - 02:58 PM

Not sure where you got this, but you are trying to perform things here which are not related at all with what you are dealing.

Several fixes recommended online for about:blank follow this procedure.
http://www.pchell.com/support/aboutblank.shtml as one example.

I greatly appreciate the advice and will run through the entire process when I get home from work. I would not have spotted the malicious hijack entries on my own. I'll be back to post the log.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:40 AM

Posted 02 May 2006 - 03:07 PM

Ah, now I see. There are A LOT of about:blank variants so every variant needs a different approach. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 keylargo

keylargo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 02 May 2006 - 09:01 PM

Ok, here's the update.

The original hijackthis scan had the 02 - BHO: Nothing line, but had no sign of the 04 - Startup: PowerReg line. It also had three others that caused me some concern, however, so I checked all four. They were these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - D:\WINDOWS\System32\hp74B3.tmp

After following all procedures listed -- except for checking wininet.dll, which did not occur with smitfraudfix.cmd -- my computer looks to be clean. New reports:

rapport/smitrem log as follows:


SmitFraudFix v2.37

Scan done at 20:38:17.79, 02/05/2006
Run from D:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

D:\WINDOWS\system32\atmclk.exe Deleted
D:\WINDOWS\system32\dcomcfg.exe Deleted
D:\WINDOWS\system32\ot.ico Deleted
D:\WINDOWS\system32\simpole.tlb Deleted
D:\WINDOWS\system32\stdole3.tlb Deleted
D:\WINDOWS\system32\1024\ Deleted
D:\Program Files\Security Toolbar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

Panda active scan:

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\smitrem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\Documents and Settings\User\Desktop\cleanup\smitrem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\Documents and Settings\User\Desktop\cleanup\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\Documents and Settings\User\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\Documents and Settings\User\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:adware/securityerror Not disinfected D:\Documents and Settings\User\Favorites\Free XXX Sites List.url
Potentially unwanted tool:Application/Processor Not disinfected D:\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\smitRem.exe[smitRem/Process.exe]
Virus:Trj/Femad.BN Disinfected D:\WINDOWS\Downloaded Program Files\CONFLICT.1\on.exe
Virus:Trj/Femad.BN Disinfected D:\WINDOWS\Downloaded Program Files\CONFLICT.2\on.exe
Virus:Trj/Femad.BN Disinfected D:\WINDOWS\Downloaded Program Files\on.exe
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\User\Application Data\Netscape\NSB\Profiles\wv9t1mtq.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Maxserving Not disinfected E:\Documents and Settings\User\Application Data\Netscape\NSB\Profiles\wv9t1mtq.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected E:\Documents and Settings\User\Application Data\Netscape\NSB\Profiles\wv9t1mtq.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/did-it Not disinfected E:\Documents and Settings\User\Application Data\Netscape\NSB\Profiles\wv9t1mtq.default\cookies.txt[.did-it.com/]
Spyware:Cookie/RealMedia Not disinfected E:\Documents and Settings\User\Application Data\Netscape\NSB\Profiles\wv9t1mtq.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/go Not disinfected E:\Documents and Settings\User\Application Data\Netscape\NSB\Profiles\wv9t1mtq.default\cookies.txt[.go.com/]
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\User\Cookies\user@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\User\Cookies\user@belnk[1].txt
Spyware:Cookie/did-it Not disinfected E:\Documents and Settings\User\Cookies\user@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\User\Cookies\user@dist.belnk[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected E:\Documents and Settings\User\Cookies\user@fe.lea.lycos[1].txt
Spyware:Cookie/go Not disinfected E:\Documents and Settings\User\Cookies\user@go[2].txt
Spyware:Cookie/Screensavers Not disinfected E:\Documents and Settings\User\Cookies\user@i.screensavers[1].txt
Spyware:Cookie/Searchportal Not disinfected E:\Documents and Settings\User\Cookies\user@searchportal.information[1].txt
Spyware:Cookie/Tucows Not disinfected E:\Documents and Settings\User\Cookies\user@tucows[1].txt
Spyware:Cookie/WebPower Not disinfected E:\Documents and Settings\User\Cookies\user@webpower[2].txt
(after which I cleaned up cookies on the E drive)

new hijackthis logfile:



Logfile of HijackThis v1.99.1
Scan saved at 9:48:03 PM, on 02/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

Many thanks. Two questions, though:

i) do these reports indicate any other problems that need fixing? (I was concerned by the Panda scan, but I see much of what was there was in relation to Smitrem)
ii) is there a way to prevent this in the future? One site I saw mentioned something about patching a hole in Virtual Java Machine, but that may have been specific to his/her computer or infection.

Thanks again!


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:40 AM

Posted 03 May 2006 - 12:08 AM

Hello,

Your log looks clean again..

i) do these reports indicate any other problems that need fixing? (I was concerned by the Panda scan, but I see much of what was there was in relation to Smitrem)


Well, most what Panda found were cookies.. but as I read in your post, you already cleaned up these cookies.
The process.exe Panda found is a false positive and is a part of smitfraudfix and smitrem.
And the other malicious ones that were found are disinfected by panda - which means deleted. :thumbsup:
So we should be ok here.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2!

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

Happy surfing again! :flowers:

Edited by miekiemoes, 03 May 2006 - 12:09 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:40 AM

Posted 05 May 2006 - 02:27 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users