Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected With Smitfraud Variant

  • This topic is locked This topic is locked
18 replies to this topic

#16 DeLuk

  • Topic Starter

  • Members
  • 228 posts
  • Gender:Not Telling
  • Location:Portugal
  • Local time:09:19 AM

Posted 24 May 2006 - 04:25 PM

Hi OldTimer and thank you again for your new reply and help once more. :huh:

I have now done as you instructed and deleted all those remaining files which were alchem and twaintec related (regperf.exe on its turn was already gone). Also I have now already reset System Restore.

As well I have afterwards run a new scan with both Panda ActiveScan and eTrust (as this had been the one to pick regperf.exe previously). eTrust now found nothing while Panda ActiveScan reported, again as before, about both altnet and blazefind registry entries, this time though curiously it didn't report about emediacodec anymore.

I think this isn't an actual issue to worry about, though, regarding both blazefind and emediacodec, as indeed I believe that the references to them in the registry must indeed be associated to these web domains being included in the Restricted Sites for Internet Explorer. From what I could read around, this must result from the imunization made by SpyBot, I suppose, as this was the only imunization program that I had installed already previously. I thought of nonetheless leave you the list, below, of all the registry locations where references to both blazefind and emediacodec are to be found, for you to please review, and confirm whether my assumption is correct? (I'm only including the list for blazefind, as that for emediacodec is exactly the same, all the locations repeat for it.)


HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-20\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com

HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com


Then again, regarding the references in the registry to altnet, yes, I have been reading about, and so I guess that must have come from when once my brother had installed Kazaa then. I have some rather long time ago already uninstalled this program, though, so maybe those references to altnet in the registry are some leftovers?... These are the locations in the registry where reference to altnet is to be found:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Altnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AltnetDM

HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Altnet


I wonder then if it would be advisable and safe to delete these keys, since the program they were associated with is no longer installed anyway? Or I wonder if this could be fixed through CCleaner maybe (and if maybe it would be safer to do it this way)?... Scanning for registry issues with CCleaner, I noticed there was also a reference to altnet, namely it is detected an "error in the reference uninstaller" (hope this is a correct translation from Portuguese to the definition of the problem by CCleaner) pointing to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AltnetDM. (On the other hand, just for comparing results, I also scanned the registry with both Registry Mechanic and System Mechanic, however none of these two reported any registry issue relating with altnet.) I would thus very much appreciate your further advice as to what to do (if anything should be done?) in regards to this altnet "issue"?...

Then again, speaking of registry optimization, I would like to share a quick extra doubt with you, appealing to your experience and expertise, if I may? This particular doubt isn't directly related with the problem being dealt in this thread nor with the primary purpose of this forum, but as I say with registry optimization, still I'm hoping I can ask just about this extra "off-topic" doubt?... It's a question for a quick answer, and I would be much grateful if you could please just enlighten me about this one thing. As I said before, I never dared to use a program for optimizing the registry (not for fixing anything, I mean, though I have already many times made scans for the curiosity of having an idea of how much there might be needing to be fixed) because I'm a little bit afraid of the eventuality of something going wrong as I'm not so comfortable with "messing" with the registry... However though, and this is what I would like to ask you then, would it be absolutely safe if I would just fix, using such a program as Registry Mechanic or System Mechanic or CCleaner or etc, just fix the registry entries which relate to programs which, having once been installed, have already been unistalled and aren't present in the computer anylonger? (For example, we have once had installed MusicMatch Media Player, and have uninstalled it already a long time ago, and when I scan the registry using Registry Mechanic etc, I can see various entries there which are related to MusicMatch...) Would it be absolutely safe if I would just fix just these entries only?... I would indeed very much appreciate if you might please just clear this for me, so that I feel the courage to do it... :thumbsup: (As the rest, I pretty much feel I'll go on being afraid of daring "messing" with it... :flowers: )

On the other hand, thank you also for your advice and tips, regarding further protection, yes, while on stand-by for your latest reply, I had been doing some reading through a couple of the basic guides and a handful of the related tutorials, as well as I had in the meantime already installed both SpywareGuard and SpywareBlaster, thanks again nonetheless for all further tips. :huh:

A couple of last doubts remain, though, and I would very much appreciate it if you could please clear it up for me.

1) I have Ad-Aware, SpyBot and Ewido Antimalware since a rather long time, and periodically scan the computer with each of the 3 programs. I was wondering though wheather it would be recommended to have any program more in complement to those 3, for the regular scans for malware? (I was thinking namely of the a-squared program?)

2) Regarding the simultaneous use of SpyBot and SpywareBlaster, would it be recommended to keep SpyBot's SDHelper active, from the moment SpywareBlaster is installed, or is it unnecessary then, or? What would you advise to do? (From what I was reading, I understand it becomes unnecessary to keep TeaTimer, when there's SpywareGuard, to avoid double warnings; but I'm still in doubt as to what should be the best to choose, in regards to SDHelper and SpywareBlaster; keep SDHelper active, even after SpywareBlaster being installed, or turn off SDHelper's active imunization in favour of SpywareBlaster alone?...)

3) Would it be recommended to run any further temp-stuff cleaner complementarily to CCleaner? (Namely I was thinking of ATF Cleaner and/or CleanUp?) Or is it rather enough to use only one of such programs/not advisable at all to run more than one?

4) Lastly, would it be advisable practice to, from time to time, post here an HJT log for routine checking by an expert, or not at all, rather one should only post strictly when necessary when there's something actually wrong and help is needed?

Ok I think this should be about all at last... (About time, also, I'd say too! :huh: ) I can't thank you enough, for all your assistance and guidance, and once more, I'm only sorry for all the many doubts and questions each time and the much I took of your time. Again, thank you sincerely, for all your help and replies. :huh:


P.S. Just for the sake of a rested conscience here's the final HJT log taken after finishing all the remaining clean-up as you instructed lastly for you to please review that all is finally really ok (hope so):

Logfile of HijackThis v1.99.1
Scan saved at 0:23:56, on 23-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\ewido anti-malware\ewidoctrl.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {70E6E083-6690-4129-A34D-F90094EEB4ED} (AWCVoiceClient Control) - http://www.popular.com.br/awc/html/voice/voice.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

BC AdBot (Login to Remove)



#17 OldTimer


    Malware Expert

  • Members
  • 11,092 posts
  • Gender:Male
  • Location:North Carolina
  • Local time:04:19 AM

Posted 30 May 2006 - 05:11 PM

Hi DeLuk. The log looks good :thumbsup:

As for blazefind.com, the location is where Internet Explorer stores domains in the trusted and restricted sites. It depends on what the data value is for the registry entry. A 2 is for Trusted Sites and a 4 is for Restricted sites. You can better check those in the Internet Explorer Options on the Security tab. Click on the Trusted Sites or the Restricted sites and then the Sites button to see what is in each site. If it is in the restricted sites then leave it alone. It is being blocked.

If the Altnet program was uninstalled then the entries referring to that are probably left over and can be deleted.

Registry cleaners can do a good job of cleaning up old entries. Just look at what they are going to do before you let them do it. By just allowing them to clean whatever they want they might be removing valid entries that are needed.

The best protection you can have is a good anti-virus and a good firewall. For additional cleaning, AdAware, Spybot and Ewido are fine.

Spybot and Spyware Blaster are 2 very different programs which do different things. Spybot runs at startup and if SDHelper is active then it monitors IE activity. Spyware Blaster loads known bad sites into the Restricted Sites Zone of IE but does not monitor in real time. Having both is a good idea. If you are running Spybot's TeaTimer then you really do not need Spyware Guard running. They both do the same thing.

ATF Cleaner is good but CCleaner or Cleanup clean more areas. Cleanup is recommended if there are multiple users on the same machine because it can clean all of the user's temporary areas at once instead of having to run it while logged on under each user account.

Lastly, there are some people who post an HJT log once or twice a year just as a checkup. It's up to you. We can look through it and tell you if there is anything that needs attention or if everything is OK.

Cheers and Happy Computing.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.

Posted Image

#18 DeLuk

  • Topic Starter

  • Members
  • 228 posts
  • Gender:Not Telling
  • Location:Portugal
  • Local time:09:19 AM

Posted 02 June 2006 - 04:20 PM

Hi again OldTimer and thank you yet once more for your reply and further explanations in regards to my last remaining doubts. :huh:

Yes, every entry in the registry referring to both blazefind and emediacodec, all have the data value 4, for them being restricted domains, as I was assuming from the start, yes, thus nothing to worry about with Panda ActiveScan picking them so I guess. (Additionally I also double-checked in the security settings for IE, and yes, both blazefind.com and emediacodec.com are included in the restricted sites, whereas in fact there is actually no domain even in the trusted sites.)

As for altnet, and the remainders of it, I'll so delete that. (I'll first attempt the fix via CCleaner and, if any of the registry entries still remains afterwards, I'll just delete them manually then.)

Also thank you for the further advising and "encouragement" regarding using a registry cleaner util, think I'll dare myself to try that then (with extra care and both eyes wide open of course!). :flowers: At least just to clean up such old entries like any referring to programs which we have had installed but have removed already, yes, I keep reading that optimizing the registry can provide to enhance the performance of the system overall, so, even if cleaning just that little much, it must make some difference for the better already, thus I think I'm for a go at last. Just thanks for the "encouragement" again as that was the little much I was missing to dare myself (i.e. to "hear" it from someone "for real" with real expertise and not just from reading the "advertising" made from and for the programs themselves). :huh:

And coming to SpyBot and its integrated imunization and active monitoring features, yes, from what I had been reading in the tutorials here, yes, I had understood that TeaTimer becomes unnecessary when there's SpywareGuard on or vice-versa, yes (I'm opting for SpywareGuard myself at this time), I just didn't have it as clear in regards to SDHelper and SpywareBlaster. Thanks for clearing that out for me, and yes, I'll surely go for the good idea of having both protections active simultaneously then. :huh:

And so, and once more, I truly want to thank you, for your time and patience, help and assistance, from the first moment, thank you sincerely (and yet sorry for all the much I've asked along :huh: )! :thumbsup: Hope I won't have to bother you guys anymore any time soon... Thanks for all again and cheers back to you! :huh:

(I believe this topic may be closed now, from my part yes, if the moderators see it fit, please do.)

Edited by DeLuk, 02 June 2006 - 06:24 PM.

#19 OldTimer


    Malware Expert

  • Members
  • 11,092 posts
  • Gender:Male
  • Location:North Carolina
  • Local time:04:19 AM

Posted 13 June 2006 - 05:03 PM

You're very welcome DeLuk. I'm glad that we could help.

Now that your malware issues have been resolved I will close this topic. If you have any new malware issues in the future then please start a new topic.


Have a safe and happy computing day!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users