Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Antivermins (smitfraud Variant)


  • Please log in to reply
15 replies to this topic

#1 DeLuk

DeLuk

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:05:01 AM

Posted 29 December 2006 - 10:49 AM

Greetings. :huh:

Once more I'm found in need of your help.

Seems like my brother must have been surfing some unwanted sites (again :flowers:) and got us a late Xmas present, as yesterday I just found the computer infected with AntiVermins. (Yeah, he does the messing, and I'm left with doing the cleaning; how fair is that! And how stupid is it to get infected with Smitfraud 3 times in 10 months; does he never learn or what! :thumbsup:)

I looked around in the forum for instructions and followed the guide How To Remove Antivermins (removal Instructions). Unfortunately looks like not everything got fixed, though...

First I did the Automated Removal. Here's the SmifraudFix report log:

-----

SmitFraudFix v2.131

Scan done at 14:42:07.01, 28-12-2006
Run from C:\Documents and Settings\q\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}"="buprestidae"

[HKEY_CLASSES_ROOT\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
@="C:\WINDOWS\system32\cthkpcv.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
@="C:\WINDOWS\system32\cthkpcv.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\cthkpcv.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\cthkpcv.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Documents and Settings\q\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVermins 2.1.lnk Deleted
C:\DOCUME~1\q\MENUIN~1\AntiVermins 2.1.lnk Deleted
C:\DOCUME~1\q\MENUIN~1\PROGRA~1\AntiVermins Deleted
C:\Programas\AntiVermins\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

-----

Note: At the end of the disk cleanup and registry cleanup, I didn't get the red screen with the countdown for reboot, neither the computer rebooted automatically. I got the "system is running in safe mode" notice message (the same as it appears when Windows is finishing to load in Safe Mode and the Desktop appears), and also the report log of the files removed by SmitfraudFix was presented at once (the one that was supposed to be presented after reboot), I don't know if this was normal to have happened?...

I then rebooted manually.

After reboot, I got a notice message from SpywareGuard, saying that the IE homepage had been changed to http://www.microsoft.com/isapi/redir.dll?prd=iepver=6ar=msnhome. I chose to keep the old value (blank page). The same notice message appeared again, and again I chose to keep the old value.

All in all, there was still something wrong, as I did still get some "system alert" popups and some adware ones too.

So next I did also the Manual Remove as in the guide. (None of the files that were referred in the guide for manual remove existed anymore, as they had been removed in the previous Automated Removal.) In the SmitfraudFix log, everything else was blank, the only thing that was still showing was:

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

-----

Note: Again, at the end of the disk cleanup and registry cleanup, it happened exactly the same as in the first time.

I rebooted manually.

After reboot, I got again the same notice message from SpywareGuard as the time before.

There were also still "system alert" and adware popups.

Other thing I noticed was that the folder C:\Programas\Image ActiveX Object\ still exists and it still contains all the files as before the fix: isaddon.dll, isamini.exe, isamonitor.exe, isauninst.exe, pmmon.exe and pmuninst.exe. (Previously to starting with the fix, I had done a search for files/folders that had been created at the same date and time as the AntiVermins ones, and these all were, thus I'm assuming that this must be related with this infection too? I've seen in other posts reference to the folder C:\Programas\Video ActiveX Object\ and some of these same files, thus I'm guessing yes...)

And also in the Add/Remove Programs list there is this suspicious "System Alert Popup" program. (I'm also guessing this must be related with this whole infection too?)

I ran Panda ActiveScan next. Here's the report log (I've removed from the log the reference to SmitfraudFix.exe, for obvious reason):

-----

Incident Status Location
Adware:Adware/VideoActiveXObject Not disinfected C:\Programas\Image ActiveX Object\pmmon.exe
Adware:Adware/VideoActiveXObject Not disinfected C:\Programas\Image ActiveX Object\pmsngr.exe
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/sbsoft Not disinfected Windows Registry

-----

Panda ActiveScan does indentify two of the files in C:\Programas\Image ActiveX Object\ as infected files. (I do wonder, should I just go again for the Manual Removal using SmitfraudFix, and just remove the "System Alert Popup" program from Add/Remove Programs and delete the whole C:\Programas\Image ActiveX Object\ folder and all its contents, prior to the step of running SmitfraudFix.exe? Or will KillBox be needed for getting rid of the remaining of the infection? Or yet should I rather wait for hopefully some updated release of SmitfraudFix which also deals with C:\Programas\Image ActiveX Object\; maybe the one which infected our computer is some new variant of the pest and it isn't yet featured by the current version of SmitfraudFix?...)

-----

After running Panda ActiveScan (and seen that there were still files reported as infected), I decided to run Ad-Aware, then SpyBot, and then AVG Anti-Spyware. I chose to fix/quarentine everything found by each of the scanners:

-----

*** Ad-Aware report log (I've removed from the log the reference to the Running Processes and the MRU's found, as well as the parts of the scan where nothing was found, for keeping the list short; if you'd like to see the complete log, though, please say.)

Ad-Aware SE Build 1.06r1
Logfile Created on:quinta-feira, 28 de Dezembro de 2006 16:29:53
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R141 27.12.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):7 total references
MRU List(TAC index:0):8 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{95b92d92-8b7d-4a19-a3f1-43113b4dbcaf}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{5297e905-1dfb-4a9c-9871-a4f95fd58945}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 10


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 10


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\internet settings\zonemap\domains\i--search.com

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\new windows
Value : PopupMgr

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 15

16:41:36 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:11:42.190
Objects scanned:160059
Objects identified:7
Objects ignored:0
New critical objects:7

-----

Note: After completing the cleaning with Ad-Aware, once again I got a notice message from SpywareGuard, again saying that the IE homepage had been changed (but this time it said it had been changed to, and after the word "to", there was nothing written, the space was simply blank). Once more I chose to keep the old value (blank page).

-----

*** SpyBot report log

--- Report generated: 2006-12-28 17:01 ---

PestTrap: Configurações do utilizador (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Internet Security


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

-----

*** AVG Anti-Spyware report log

---------------------------------------------------------
AVG Anti-Spyware - Relatório de verificação
---------------------------------------------------------

+ Criação: 23:36:59 28-12-2006

+ Resultado da verificação:



HKU\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Internet Security -> Adware.IntCodec : Nenhuma ação executada.


::Fim do relatório

-----

After running these scans, I ran Panda ActiveScan again, and the log was all the same, except for the entry Adware:adware/sbsoft in the Registry, which was gone now. (BTW, sorry for the little off-topic question, but, regarding Panda ActiveScan, the entry referring to Altnet is an old one, that must be some "left-over" from some old infection, and it always shows in Panda's ActiveScan log; I wonder if I should (and if it would be safe to) just delete that entry from the Registry, or?... Then again, CCleaner also detects an "issue" related with Altnet; it identifies it as an "error in the reference uninstaller", and it refers to the same Registry key; should I maybe just better fix that in there?... Would that automatically eliminate that entry from the Registry, and would it be safer to fix it via CCleaner, than deleting the key manually?... I'd appreciate any guidance in regards to this, if possible...)

As for the AntiVermins/Smitfraud infection, what should be the next step to take? I'd be most grateful for any further assistance with getting rid of it for good, thanks so very much already. :huh:

Here's the latest HJT log:

-----

Logfile of HijackThis v1.99.1
Scan saved at 14:38:10, on 29-12-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Image ActiveX Object\pmsngr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\Image ActiveX Object\pmmon.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Java\jre1.5.0_10\bin\jusched.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programas\SpywareGuard\sgmain.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\Programas\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Barra de ferramentas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programas\Lexmark Toolbar\toolband.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Lexmark Barra de ferramentas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programas\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Programas\HDD Thermometer\HDD Thermometer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

-----

(If you also need the HJT log from before having done any of the fixing/cleaning I did already, please say.)

Edited by DeLuk, 29 December 2006 - 10:56 AM.


BC AdBot (Login to Remove)

 


m

#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 29 December 2006 - 03:16 PM

Hello :thumbsup:

I would like to take a look at this log for you
and will get back you you as soon as I can.

Thank You.

#3 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:05:01 AM

Posted 30 December 2006 - 07:31 AM

Hello ourwilly, and thank you for your reply. :thumbsup:

I see that there's just been released an updated version of SmitfraudFix (version 2.132) yesterday, and which already deals with C:\Programas\Image ActiveX Object\, which I suppose must be good news on my way. :flowers:

I won't run a new fix with it, nor take any next step to fixing this infection, though, without your prior advise; yet, should it be useful for your analisis, I did run a search with this new version of SmitfraudFix already, here's the report log:

-----

SmitFraudFix v2.132

Scan done at 12:18:00.14, 30-12-2006
Run from C:\Documents and Settings\q\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\q


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\q\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\q\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programas

C:\Programas\Image ActiveX Object\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

-----

I'll be standing-by for your further instructions, and thanks once more, for any help. :huh:

Edited by DeLuk, 30 December 2006 - 08:09 AM.


#4 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 01 January 2007 - 03:15 AM

Hello DeLuk :thumbsup:

Step 1

Please Disable the SpywareGuard's Protection until your system is clean of Malware.

Right click the Spywareguard system tray icon to open the program.
Click on "Options" and uncheck all the three boxes before clicking Save Settings.
Then click on Menu | File | Exit and confirm you wish to close the program.

Before we start you will need to make a back-up of the registry. This is standard procedure before carrying out any alterations to it.
Go to Start > Run, enter "regedit" (without the quotes) and click on OK.
Highlight My Computer by clicking on it and then go to File > Export...
Give the file an appropriate name, registry backup perhaps, leave the "Save As Type:" as it is and save it somewhere safe.
The Desktop is NOT a good idea as it's too close to the Recycle Bin for comfort!
This may take a moment or two so don't worry.

Go to: Start | Run, type in Notepad

Click Format from the Notepad menu and ensure "Word Wrap" is NOT selected.
Copy the Red Text below into Notepad.

REGEDIT4

[-HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Internet Security]

[-HKEY_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM]


Click : File | Save As
Change the Save as type to All Files
Save it to your desktop as fix.reg

Locate Fix.reg Posted Image on your desktop and double-click it.
When asked if you want to merge with the registry, click YES.
Wait for the merged successfully prompt.


Step 2

Scan with HijackThis again and place a checkmark in the boxes before the following entries:

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k

If Webroot Spy Sweeper is no longer Installed then include this line below:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Close any Explorer windows which may be open and click the "Fix Checked" button.


Step 3

Please Reboot your System into Safe Mode
Shut down your system, then Restart your computer as soon as it starts booting up again continuously tap F8. from the menu select the option to enter Safe Mode

Re-open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Step 4

Please Re-scan with HijackThis and post

1/ The new HJT log
2/ The C:\rapport.txt

Thank you

#5 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:05:01 AM

Posted 03 January 2007 - 02:02 PM

Hello again, ourwilly, and also again, thank you for your reply. :huh:

I've completed all steps as instructed. Here's both the SmifraudFix and HJT logs, as requested:

-----

SmitfraudFix report log:

SmitFraudFix v2.132

Scan done at 21:52:17.90, 02-01-2007
Run from C:\Documents and Settings\q\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Programas\Image ActiveX Object\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

-----

HJT report log:

Logfile of HijackThis v1.99.1
Scan saved at 22:03:02, on 02-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Java\jre1.5.0_10\bin\jusched.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programas\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Barra de ferramentas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programas\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Lexmark Barra de ferramentas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programas\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Programas\HDD Thermometer\HDD Thermometer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

-----

Note: The Add/Remove Programs list still shows the System Alert Popup program as installed. Should I remove it manually? (Should I better remove it in Safe Mode? And should I run SmitfraudFix again, after removing this program?)

SpywareGuard loads as usual with Windows, but I'm keeping the protections disabled. Do please advise when I shall re-enable the protections; and if prompted about any changes, what to choose, Restore old value or Keep new value?

Additionally I've run a scan with both Panda ActiveScan and CCleaner, just to check if any of the two still reported about Altnet, but no, none of them reports it anylonger. Panda ActiveScan report log shows nothing found (except for the obvious SmitfraudFix associated file Process.exe).

Also I've run a scan with both SpyBot and AVG Anti-Spyware, seen as these two programs both had previously reported about HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Internet Security, yet none of them reports about this anylonger either. (While at it, I ran a scan with Ad-Aware too, and it also found nothing.) AVG Anti-Spyware (which was the last scanner of the 3 which I ran) did find a few items left in System Restore, though.

AVG Anti-Spyware report log:

---------------------------------------------------------
AVG Anti-Spyware - Relatório de verificação
---------------------------------------------------------

+ Criação: 0:42:56 03-01-2007

+ Resultado da verificação:

C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP58\A0033141.dll -> Adware.WorldSecurityOnline : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP57\A0031882.dll -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP57\A0031883.exe -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP57\A0031995.dll -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP57\A0031997.exe -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP58\A0032996.dll -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP58\A0032998.exe -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP58\A0033016.dll -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP58\A0033018.exe -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP58\A0033123.dll -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP58\A0033125.exe -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP58\A0033381.exe -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP60\A0037000.dll -> Downloader.Zlob.biu : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP60\A0037001.exe -> Downloader.Zlob.biu : Nenhuma ação executada.

::Fim do relatório

-----

Should I reset (disable and re-enable) the System Restore at this point, or?

Also, back to SmitfraudFix, wondering, should I now also run Option 3, Delete Trusted Zone, or?

Then, still regarding the HJT log, I do am intrigued about those entries which say (file missing), especially those which refer to Avast (do those entries mean that there's something wrong with Avast, and if so, should I just re-install it or something?)... Are those entries, reporting (file missing), normal at all to be there, or?...

And lastly, just a bit of curiosity, if I may?... (I'm sorry for that, it's just that, well, being curious is one step forward to learning some more (some more than by just following steps "blindly", if you know what I mean), right? :thumbsup:) Well, I was only wondering about that part of Step 1 of your instructions, for creating the .reg file:

REGEDIT4

[-HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Internet Security]

[-HKEY_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM]


I was wondering what exactly does it stand for, the REGEDIT4 (or why isn't it for instance REGEDIT1 or 2 or 3, why is it 4)?... (I've noticed that, for example, the .reg file FixAV referred in the AntiVermins Manual Removal Instructions guide also beguins with REGEDIT4...)

And I was wondering what does it mean, the keys to be in between those square brackets and with the minus sign (-) in front of each respective key?... (Does that [-..........] stand for the key to simply be deleted from the registry, is that it?...)

Once more, I'll stand-by for your further instructions, and thank you so greatly, for your kind patience and help so far! :huh: (And sorry again, for the extra-asking... :flowers:)

Edited by DeLuk, 03 January 2007 - 02:06 PM.


#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 04 January 2007 - 12:35 PM

Hello DeLuk :thumbsup:

Step 1

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Once you have done this you can now remove ghost entries in your registry ( like that System Alert Popup ), open regedit by going to start, run, and type in regedit. When regedit opens, you want to select the HKEY_LOCAL_MACHINE key. You need to expand this tree view by clicking on the + sign beside its name.

Once you have it expanded, find the key Software and expand it as you did before. Find and expand the Microsoft key, Find the key Windows and expand it. When you have the windows key expanded, look for the key CurrentVersion and expand that as well. Next you have to find the Uninstall key. (Ultimately you are trying to get to the Sub key level: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall).

When this key is expanded, you will see all of the applications listed under the add/remove programs menu. Select the application key corresponding to the application you would like to remove, also check key names you do not recognize by clicking them and displaying they values stored in each. Looking on the right hand pane in regedit of an open key, you can check to see if it corresponds to the application you are trying to remove and then you can remove these keys as well.

When you are all done removing these keys, close your registry and verify the results by opening add/remove applications. Your application should no longer be listed.


Step 2

Regarding the registry You seem keen to learn about this but I'm afraid the registry is Not as easy as what you suggest..
if you wish to learn more on this subject then try asking in Here about places where you can learn about this.

As for the file missing question, although HJT reports This.. This does not mean it is actually missing,
Which is why we ask everyone to seek advice from those who have been trained in removing Malware.
and please note that Training can be found right here at the Bleeping Website :flowers:

Looks like you can now Delete the SmitfraudFix Tool from your system and If everything is running fine
Then I do recommend that you now purge those System Restore entries.

Instructions to "Disable" and then "Re-Enable" your System Restore

and here are some Tutorials you may like to Bookmark for future reference:

So how did I get infected in the first place?
Simple and easy ways to keep your computer safe and secure on the Internet

Thank you

#7 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:05:01 AM

Posted 04 January 2007 - 04:42 PM

Hi ourwilly, and again thank you for your reply, and advicing. :huh: Yes, I do have those (and more) reference pages among my bookmarks already. :huh: (Just wished my brother would ever take a moment to read them, too... :thumbsup:) And yes, I do am aware that the registry is not easy at all, not at all I wanted to suggest that; I know it isn't something for messing with, sometimes even for experts, let alone for a newbie in computers and a lay with no background knowledge for understanding something as crucial as the registry, as me! Yes, I am definitely most aware of this! :flowers: Anyway, it's really just that (mostly with everything) I like to (at least) have some "lights" about what I'm doing, as I was saying before, rather than just doing it, that's just it (and that's why sometimes I tend to "ask around", sorry for that again). :huh:

But, back on topic, I do though have a question, prior to completing these new instructions, regarding the removal of System Alert Popup.

Should I then not try first to remove it manually, directly from Add/Remove Programs in the Control Panel, to see if it gets removed by that way? Should I just proceed at once by the way you tell, removing the corresponding key from within HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall, yes? I do too suppose that this must be a "ghost" entry in the Add/Remove Programs list, as supposedly there must be no files left associated with this System Alert Popup program after the fix with SmitfraudFix, so I don't know what would happen if I'd try to remove it directly from Add/Remove Programs in the Control Panel?... In any case, I'm pasting below the registry entry referring to this System Alert Popup program, if useful for your analisis:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup]
"DisplayName"="System Alert Popup"
"UninstallString"="C:\\DOCUME~1\\q\\DEFINI~1\\Temp\\laf94.tmp /del"

And by doing as you tell, i.e. removing the corresponding key from within HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall, does this correspond to actually uninstall/eliminate any remainder of the program if there's any left, or does it only correspond to making the respective entry in the Add/Remove Programs list be deleted/disappear? (In other words, I think I can resume my doubt in this way: if I would complete this same procedure with any program which is currently installed, would this correspond to uninstalling/eliminating the program itself, i.e. all associated files, as if the program would be uninstalled from Add/Remove Programs in the Control Panel; is the actual "effect" the same?... I hope you understand my doubt?...)

Also, I do would repeat both these questions from my previous post:

Regarding SmitfraudFix, before deleting the tool from my system, should I also run Option 3, Delete Trusted Zone, or?

And regarding SpywareGuard, I'm keeping the protections disabled; do please advise when I shall re-enable those; and if prompted about any changes after re-enabling the protections, what should I choose then, Restore old value or Keep new value (or is it irrelevant)?

Thank you so much, one time again, for your kind patience and help! :huh:

Edited by DeLuk, 04 January 2007 - 04:44 PM.


#8 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:05:01 AM

Posted 04 January 2007 - 04:46 PM

Just one thing more, as I'm also wondering about this particular entry in the HJT log:

O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/

Does that require to be fixed, or?...

#9 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 05 January 2007 - 01:13 PM

Hello DeLuk

Should I then not try first to remove it manually, directly from Add/Remove Programs in the Control Panel

Try that first.. If that fails follow my last instructions on Backing up the Registry and then delete this Bold entry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup

O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/

It's possible for this setting to have been legitimately changed by a Computer Manufacturer or the Administrator of machine
Can't find anything bad on that entry

should I also run Option 3, Delete Trusted Zone

You can run this option but Please Note - if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford.
For SpywareBlaster, run the program and 're-enable all protection'.
For IE/Spyads, run the batch file and reinstall the protection.
Spybot's Immunize feature must be used again.

what should I choose then, Restore old value or Keep new value (or is it irrelevant)?

Little more information please First thought is you don't want to Restore anything bad as long as it is showing a legitimate entry for the New Value.
then it should be fine, If you are unsure then please post full details of the New Value.

ourwilly

#10 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:05:01 AM

Posted 05 January 2007 - 05:21 PM

Hi ourwilly. :huh:

Ok, so I've first went for the option to remove the System Aler Popup manually, directly from Add/Remove Programs in the Control Panel. (Did that in Safe Mode.) As I chose to remove the program, I got (as expected) the following error message:

Error of the uninstallation program

An error has occured while trying to remove System Alert Popup. It may already have been uninstalled. Do you wish to remove System Alert Popup from the 'Add/Remove Programs' list?


And so I chose "Yes", and the entry was deleted from the list.

Next I went to check in the registry, whether the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup had as well been removed, and yes it did, this key no longer exists in the registry.

So I guess we're all done as for this issue, then, right? :huh:

After reboot to Normal Mode, I so ran SmitfraudFix again, and executed Option 3, Delete Trusted Zone, just for the sake of it. After that, I did already also re-enabled all protections/imunizations in SpywareBlaster and SpyBot.

Next I re-enabled the protections in SpywareGuard as well. On the change prompts, I chose to Keep new value, anyway (as I'm guessing those are Microsoft's defaults for IE, which SmitfraudFix made be restored to default precisely, right?). The change prompts were as follows:

Your IE homepage has been changed!
Your Internet Explorer current user homepage has been changed from
about:blank
to
http://www.microsoft.com/isapi/redir.dll?p...ver=6ar=msnhome


---

Your IE default page has been changed!
Your Internet Explorer local machine default page has been changed from
http://www.iol.pt/
to
http://www.microsoft.com/isapi/redir.dll?p...ver=6ar=msnhome


---

Later I'll change the homepage back to blank, no big deal.

Anyways, lastly, so I purged the System Restore.

And so I suppose I'm clean of Smitfraud for good (for now, at least), yes? :huh:

Here's a fresh HJT log, just for the sake of a "rested conscience", so to speak. :huh:

HJT report log:

Logfile of HijackThis v1.99.1
Scan saved at 21:15:26, on 05-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Java\jre1.5.0_10\bin\jusched.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programas\SpywareGuard\sgmain.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Barra de ferramentas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programas\Lexmark Toolbar\toolband.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Lexmark Barra de ferramentas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programas\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Programas\HDD Thermometer\HDD Thermometer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

---

Back to the registry, and to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, one other question, though. Going through all the application keys under this Uninstall key, I've noticed that there are a couple of keys which refer to programs which have been uninstalled by now and no longer exist in the computer, as for instance PestPatrol or Panda Antivirus. Should I worry about these keys referring to uninstalled programs being there in the registry under this Uninstall key, or not at all, there's nothing to worry about, so I should just leave it all alone as is?...

And, going a bit off-topic, yet while on the registry subject, just wondering, would you advise/recommend using a program for registry optimization, such as iolo's System Mechanic or pctools' Registry Mechanic, or, not really?... Or even CCleaner's Registry Issues cleaning feature, maybe, would this be recommended at all?... Scanning for registry issues, it does find quite some stuffs too, in mostly all categories, and most of these do actually refer to programs which are no longer installed in the computer... And I always keep wondering, should I ever consider running CCleaner's cleanup for registry (at least for any entry which does indeed refer to such programs which are currently not installed anymore)?... Or is it just safer not to anyway?... (Is it absolutely safe, the use of such programs? Or is it just better not to "mess" with the registry, even by using such dedicated programs? I keep wondering, about these programs; and yet I keep unsure of whether to dare to use them... :thumbsup: I mean, I've used them before, but, always only just to scan, just to have an idea of the amount of items they'd find; but I never dared to actually choose to "fix" anything at all... :flowers: I was even thinking about trying out the new Windows Live OneCare, one of these days, but... Seems I'm never too sure whether to dare to, if it would be totaly safe to, or not... :huh: Any advice in regards to this?...)

Then again, and also back to that entry in the HJT log, O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/, the reason I asked about it wasn't so much because I thought there might be something wrong with it, but rather because I wonder if that is necessary to exist... See, IOL is/was an Internet Service Provider, and it must have been their CD that was used when first installing Internet on this PC (this PC was bought second-hand), so maybe it was this installation that caused some IE settings to be "defaulted" to this ISP's own site, www.iol.pt, I'm guessing (just hope I'm not saying some nonsense!). Remember also that message from SpywareGuard, about the IE local machine default page having been changed from http://www.iol.pt/; this IE local machine default page has never been set by us here, and certainly never to any specific website, not www.iol.pt nor any other; so that's also why I got wondering about that entry in the HJT log. All in all, our current ISP is another one, it isn't IOL, thus why I wonder, if that entry in the HJT log does refer to some "must have" setting or something, or, if not, and if it would be fixed via HJT, might that eventually cause any malfunction, or?... Or should I just really not worry about this either, and again, just leave it alone as is?...

Edited by DeLuk, 06 January 2007 - 06:32 AM.


#11 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 07 January 2007 - 05:00 AM

Hello DeLuk

"Ok" you can use HijackThis and fix this entry: O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/

and You can remove PestPatrol or Panda Antivirus from that Registry key if these are not on your system anymore,
personally though It really is nothing to worry too much about,

and 'Sorry' I'm afraid I don't use any Registry Program's to clean my system so I can't recommend any to you, only can suggest to be cautious and find a one that makes a Back-Up of any removed entries. It will be a better idea to ask in another section of the Forum some of your good question's for peoples opinion towards recommending Software for you to try

Good luck with that

ourwilly

#12 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:05:01 AM

Posted 07 January 2007 - 02:12 PM

Hmm, I tried and fixed that entry O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/ in HJT, yet I don't think that went so well, as after fixing it, I went to check the iereset.inf file, and the whole content of it was gone (not only that string had been fixed!; I thought only that string in the iereset.inf file would be fixed, not that all the strings would be erased, gosh :flowers:), and as choosing on IE, under Tools > Restore Web Definitions, I got the message that it had not been possible to restore those (I suppose that was because the iereset.inf file had no actual content anylonger, no?)... So in the end I had to restore the system to the previous restore point, bah... Guess I better just nevermind about it and leave that entry on HJT log as is, then, huh? (Or perhaps just manually edit that specific string directly in the file iereset.inf and change it from http://www.iol.pt to something else like for example the same as the default homepage, http://www.microsoft.com/isapi/redir.dll?p...ver=6ar=msnhome, would that maybe be an idea/option?... Or, not at all?... I don't know, don't even know if such file iereset.inf can be manually/directly edited?; truth is I have no idea of what I'm talking about, I'm only wondering in all of my ignorance, so pardon if I'm only saying nonsense... :thumbsup:)

And again, thank you so greatly for all help and yet all further advicing. :huh:
I shall then futurely question about Registry optimizing/cleaning programs in a more appropriate Forum section and ask for the members' views on this subject, there. :huh:

Edited by DeLuk, 08 January 2007 - 05:59 AM.


#13 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 08 January 2007 - 12:58 PM

Hello DeLuk :thumbsup:

I agree best no to worry over that entry and I'm sure you'll recieve strong recommendations for a Registry Program,
I'll keep an eye out for you posting I may just want to try one out myself.

ourwilly

#14 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:05:01 AM

Posted 10 January 2007 - 03:24 PM

Ok, not worrying about that entry anymore (it's no such important detail, anyways)! :huh:

I'd only ask you to please review this fresh HJT log (I've just done some re-installing/updating of some programs, after cleaning up from the Smitfraud infection, and would appreciate if you'd just please double-check that everything shows alright in the log and there are no suspicious-looking entries; as I used the expression before, "for the sake of a rested conscience" :huh:) and, if everything indeed looks ok, and since all previous malware issues seemingly have been resolved, I believe this topic may be closed afterwards; if you see it fit, please do. :huh:

---

Logfile of HijackThis v1.99.1
Scan saved at 19:12:28, on 10-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Java\jre1.6.0\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Programas\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Programas\HDD Thermometer\HDD Thermometer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

---

And one time again, thank you truly, ourwilly, for your time and patience, help and assistance, thank you indeed! :huh: Hope I won't have to bother you guys anymore any time soon, about any more infections... Thanks for all once more, and cheers to the BC team! :thumbsup: Wishes of a great 2007!

And yet good luck, entering the HJT Team. :huh: (I believe this is what it must mean, to be a member of the HJT Senior Classmen group: to be in the training process for being admitted to the HJT Team, right? Then, and again, all best luck to you. :flowers:)

(I'll ask about Registry programs in the Software and Hardware > All other applications section of the forum, I'm supposing that to be the most appropriate, no?... I see some related threads in there...)

Edited by DeLuk, 11 January 2007 - 12:18 PM.


#15 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 11 January 2007 - 10:24 AM

Hello DeLuk :thumbsup:

Everything looks fine with your log and that does seem a good place to post your registry question

good luck, entering the HJT Team

Thank you and Yes as a Senior Classmen I'm still in training, long way to go though for me though.

Best wishes to you and your family for 2007

Thank you,
ourwilly




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users