Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Winfixer (i Think) Among Others


  • This topic is locked This topic is locked
8 replies to this topic

#1 Burninator

Burninator

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 03 May 2006 - 01:01 AM

I'm getting various popups when Internet Explorer is not in use, most of which are either telling me to purchase anti-spyware software or advertising Adultfriendfinder.com. Every once in a while it will open an MS-Dos screen with an error message. Also, there are two programs in my toolbar that I didn't knowingly install and they will not close. One of them says "Virus Alert" and periodically displays a message saying "Your computer is infected! ...Click here to get all available software." The other is a yellow triangle that opens an add to various anti-virus software. Thank you, in advance, for any help given. I am semi-computer illiterate and this is my last try before reformating my hard drive.

Edit: I forgot to mention that my Ctrl+Alt+Delete does not work anymore. It seemingly has no effect on the computer now and I don't know how to bring up my task manager without it.

Logfile of HijackThis v1.99.1
Scan saved at 12:50:39 AM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Caleb\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpCDD8.tmp
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: SATARaid.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Edited by Burninator, 03 May 2006 - 01:04 AM.


BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:20 AM

Posted 03 May 2006 - 01:16 AM

Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Click here to download System Security Suite. Extract it from the zip file into a folder.

Click here to download ewido security suite - it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Do NOT run a scan yet. Exit the program.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 Burninator

Burninator
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 03 May 2006 - 01:42 AM

SmitFraudFix v2.37

Scan done at 1:46:40.46, Wed 05/03/2006
Run from C:\Documents and Settings\Caleb\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\twain32.dll FOUND !
C:\WINDOWS\system32\1024\ FOUND !

C:\Documents and Settings\Caleb\Application Data


Start Menu


C:\DOCUME~1\Caleb\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!! Attention, follow keys are not inevitably infected !!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"


Scanning wininet.dll infection


End

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:20 AM

Posted 03 May 2006 - 02:03 AM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Launch ewido again:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Open System Security Suite and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so.

Please post the new rapport.txt log along with a new HijackThis Log and the Ewido Log in your next reply.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 Burninator

Burninator
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 03 May 2006 - 03:04 AM

SmitFraudFix v2.37

Scan done at 3:04:47.28, Wed 05/03/2006
Run from C:\Documents and Settings\Caleb\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Caleb\Application Data


Start Menu


C:\DOCUME~1\Caleb\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!! Attention, follow keys are not inevitably infected !!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End


Logfile of HijackThis v1.99.1
Scan saved at 3:03:45 AM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Caleb\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: SATARaid.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:41:50 AM, 5/3/2006
+ Report-Checksum: 492CABDE

+ Scan result:

HKU\S-1-5-21-515967899-329068152-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
[832] C:\WINDOWS\system32\twain32.dll -> Not-A-Virus.Hoax.Win32.Renos.cu : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\ckbfakod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\efnihnod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\figlolod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\giahliod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\hedbchod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\inkcfgod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temporary Internet Files\Content.IE5\OJNBMWXH\gdnUS2218[2].exe -> Downloader.Small.ayl : Cleaned with backup
C:\Program Files\outlook\outlook.exe -> Worm.VB.dw : Cleaned with backup
C:\Program Files\WinMX Music\whCC-MIND.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\system32\twain32.dll -> Not-A-Virus.Hoax.Win32.Renos.cu : Cleaned with backup
C:\WINDOWS\system32\winlog.exe -> Backdoor.Rbot : Cleaned with backup


::Report End


Thank you for all the help, it seems to have all cleared up now. You definitely saved me a reformat! This is a great site and I'll be sure to tell my friends about it.

#6 Burninator

Burninator
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 03 May 2006 - 03:40 AM

SmitFraudFix v2.37

Scan done at 3:04:47.28, Wed 05/03/2006
Run from C:\Documents and Settings\Caleb\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Caleb\Application Data


Start Menu


C:\DOCUME~1\Caleb\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!! Attention, follow keys are not inevitably infected !!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End


Logfile of HijackThis v1.99.1
Scan saved at 3:03:45 AM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Caleb\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: SATARaid.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:41:50 AM, 5/3/2006
+ Report-Checksum: 492CABDE

+ Scan result:

HKU\S-1-5-21-515967899-329068152-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
[832] C:\WINDOWS\system32\twain32.dll -> Not-A-Virus.Hoax.Win32.Renos.cu : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Caleb\Cookies\caleb@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\ckbfakod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\efnihnod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\figlolod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\giahliod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\hedbchod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temp\inkcfgod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Caleb\Local Settings\Temporary Internet Files\Content.IE5\OJNBMWXH\gdnUS2218[2].exe -> Downloader.Small.ayl : Cleaned with backup
C:\Program Files\outlook\outlook.exe -> Worm.VB.dw : Cleaned with backup
C:\Program Files\WinMX Music\whCC-MIND.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\system32\twain32.dll -> Not-A-Virus.Hoax.Win32.Renos.cu : Cleaned with backup
C:\WINDOWS\system32\winlog.exe -> Backdoor.Rbot : Cleaned with backup


::Report End


Thank you for all the help, it seems to have all cleared up now. You definitely saved me a reformat! This is a great site and I'll be sure to tell my friends about it.

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:20 AM

Posted 03 May 2006 - 01:40 PM

Looks better - is it still running OK?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 Burninator

Burninator
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 03 May 2006 - 09:28 PM

Yup it's running great. Thanks for all the help!

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:20 AM

Posted 04 May 2006 - 12:12 AM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users