Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection,trojans,adware,smitfraud C


  • This topic is locked This topic is locked
13 replies to this topic

#1 darkoskc

darkoskc

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 05 March 2007 - 12:48 PM

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

The owner clicked on a pop-up and installed Something-That was supposedly a active X,player and ifection started....
There was no firewall, so some of these infections might off turned up before..

Active X was uninstalled ( add-remove). and the notificcation couldn't - AV or AS couhgt it and quarantined it

There was an icon in the system tray, and on the Desktop, and in the Start menu(2)- and an add about System at risk(POP-UP -constantly)

Most of these infections wouldn't go away, Avg AV cought two Trojans, Avg AS stopped replication in the safe mode and ad Aware,Spybot killed the rest

Found and quarantined - logs



Spybot


Win32.Agent.yr: Settings (Registry value, nothing done)- !!!!!!!!!!!!!!
HKEY_USERS\S-1-5-21-1614895754-789336058-1957994488-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\*\keygen.exe

Zlob.VideoActiveXObject: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D}

SystemDoctor2006: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


ErrorProtector: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


ErrorProtector: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


Winsoftware: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


Winsoftware: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


Winsoftware: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


ReliableStats: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


MalwareAlarm: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


SystemDoctor2006: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


Winsoftware: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


Winsoftware: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)


Win32.Small.ddx: Tracking cookie (Internet Explorer: Ja) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-03-05 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-07 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-02-14 Includes\Malware.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2007-02-14 Includes\Trojans.sbi (*)
2007-02-28 Includes\Cookies.sbi (*)
2007-02-28 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-02-28 Includes\TrojansC.sbi (*)
2007-02-28 Includes\SpybotsC.sbi (*)
2007-02-28 Includes\SecurityC.sbi (*)
2007-02-28 Includes\PUPSC.sbi (*)
2007-02-28 Includes\MalwareC.sbi (*)
2007-02-28 Includes\KeyloggersC.sbi (*)
2007-02-28 Includes\HijackersC.sbi (*)
2007-02-28 Includes\DialerC.sbi (*)





---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:34:50 PM 3/5/2007

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned.


::Report end


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:50:22 PM 3/5/2007

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1614895754-789336058-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).


::Report end




Ad Aware


ArchiveData(darko 1.bckp)
Referencefile : SE1R157 05.03.2007
======================================================

WIN32.TROJANDOWNLOADER.ZLOB

obj[0]=Process : C:\Program Files\Video Access ActiveX Object\isamntr.exe
obj[17]=Regkey : clsid\{84938242-5c5b-4a55-b6b9-a1507543b418}
obj[18]=Regkey : clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}
obj[19]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}
obj[20]=RegValue : software\microsoft\internet explorer\toolbar "{84938242-5c5b-4a55-b6b9-a1507543b418}"
obj[21]=RegValue : S-1-5-21-1614895754-789336058-1957994488-1003\software\microsoft\internet explorer\toolbar\Webbrowser "{84938242-5c5b-4a55-b6b9-a1507543b418}"
obj[35]=RegValue : software\microsoft\windows\currentversion\policies\explorer\run "user32.dll"
obj[36]=Folder : C:\Program Files\Video Access ActiveX Object
obj[37]=File : c:\documents and settings\all users\start menu\Security Troubleshooting.url
obj[38]=File : c:\documents and settings\all users\start menu\Online Security Guide.url
obj[39]=File : c:\documents and settings\all users\desktop\Online Security Guide.url

SPYDAWN

obj[1]=Regkey : interface\{101981f9-8ba3-4064-949b-3c5beb867134}
obj[2]=Regkey : interface\{16992424-7ac2-47f6-8799-bf4e8ebbecc1}
obj[3]=Regkey : interface\{28dc003f-7396-4b9d-8d0c-e40d8f4e3f4a}
obj[4]=Regkey : interface\{3a9ccaf6-08b8-4163-8dd8-3d9200314533}
obj[5]=Regkey : interface\{3f109e21-d00a-4222-9a42-4a7611122cf1}
obj[6]=Regkey : interface\{4db7b2c0-c3be-4a1d-915b-9b04981cf4b4}
obj[7]=Regkey : interface\{5fc90027-65c3-4e0c-91c7-e3d3296e3763}
obj[8]=Regkey : interface\{63948a86-9227-4dab-8aa6-ccd2111264a0}
obj[9]=Regkey : interface\{7a7ca289-6e1e-4a00-aa81-c5d252945645}
obj[10]=Regkey : interface\{7de844a5-dc96-4cd5-b4ee-1c7ae0b5e62a}
obj[11]=Regkey : interface\{929fc56a-ee5c-436c-bc73-68d583233485}
obj[12]=Regkey : interface\{94596fc9-cbf8-4f61-8a02-aacbb86b51ba}
obj[13]=Regkey : interface\{a048440c-9495-4757-8fb3-0383ade9e89d}
obj[14]=Regkey : interface\{cc09ac3e-aa61-4cbd-a351-df435c8fe5c2}
obj[15]=Regkey : interface\{cc61280d-617c-4007-9d21-3f6f7bba81fe}
obj[16]=Regkey : typelib\{c7281808-f7c3-4bed-940f-40b9fd5784b6}
obj[40]=Regkey : interface\{080c3ec1-ab54-40f3-88be-e6face068cf0}

TRACKING COOKIE

obj[22]=IECache Entry : Cookie:ja@real.com/
obj[23]=IECache Entry : Cookie:ja@2o7.net/
obj[24]=IECache Entry : Cookie:ja@zedo.com/
obj[25]=IECache Entry : Cookie:ja@atdmt.com/
obj[26]=IECache Entry : Cookie:ja@adbrite.com/
obj[27]=IECache Entry : Cookie:ja@mediaplex.com/
obj[28]=IECache Entry : Cookie:ja@media.fastclick.net/
obj[29]=IECache Entry : Cookie:ja@doubleclick.net/
obj[30]=IECache Entry : Cookie:ja@overture.com/
obj[31]=IECache Entry : Cookie:ja@goclick.com/
obj[32]=IECache Entry : Cookie:ja@fastclick.net/
obj[33]=IECache Entry : Cookie:ja@microsoftwlmessengermkt.112.2o7.net/
obj[34]=IECache Entry : Cookie:ja@questionmarket.com/


ArchiveData(auto-quarantine- 2007-03-05 16-19-29.bckp)
Referencefile : SE1R157 05.03.2007
======================================================

WIN32.TROJANDOWNLOADER.ZLOB

obj[0]=Process : C:\Program Files\Video Access ActiveX Object\isamntr.exe
obj[17]=Regkey : clsid\{84938242-5c5b-4a55-b6b9-a1507543b418}
obj[18]=Regkey : clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}
obj[19]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}
obj[20]=RegValue : software\microsoft\internet explorer\toolbar "{84938242-5c5b-4a55-b6b9-a1507543b418}"
obj[21]=RegValue : S-1-5-21-1614895754-789336058-1957994488-1003\software\microsoft\internet explorer\toolbar\Webbrowser "{84938242-5c5b-4a55-b6b9-a1507543b418}"
obj[35]=RegValue : software\microsoft\windows\currentversion\policies\explorer\run "user32.dll"
obj[36]=Folder : C:\Program Files\Video Access ActiveX Object
obj[38]=File : c:\documents and settings\all users\start menu\Security Troubleshooting.url
obj[39]=File : c:\documents and settings\all users\start menu\Online Security Guide.url
obj[40]=File : c:\documents and settings\all users\desktop\Online Security Guide.url

SPYDAWN

obj[1]=Regkey : interface\{101981f9-8ba3-4064-949b-3c5beb867134}
obj[2]=Regkey : interface\{16992424-7ac2-47f6-8799-bf4e8ebbecc1}
obj[3]=Regkey : interface\{28dc003f-7396-4b9d-8d0c-e40d8f4e3f4a}
obj[4]=Regkey : interface\{3a9ccaf6-08b8-4163-8dd8-3d9200314533}
obj[5]=Regkey : interface\{3f109e21-d00a-4222-9a42-4a7611122cf1}
obj[6]=Regkey : interface\{4db7b2c0-c3be-4a1d-915b-9b04981cf4b4}
obj[7]=Regkey : interface\{5fc90027-65c3-4e0c-91c7-e3d3296e3763}
obj[8]=Regkey : interface\{63948a86-9227-4dab-8aa6-ccd2111264a0}
obj[9]=Regkey : interface\{7a7ca289-6e1e-4a00-aa81-c5d252945645}
obj[10]=Regkey : interface\{7de844a5-dc96-4cd5-b4ee-1c7ae0b5e62a}
obj[11]=Regkey : interface\{929fc56a-ee5c-436c-bc73-68d583233485}
obj[12]=Regkey : interface\{94596fc9-cbf8-4f61-8a02-aacbb86b51ba}
obj[13]=Regkey : interface\{a048440c-9495-4757-8fb3-0383ade9e89d}
obj[14]=Regkey : interface\{cc09ac3e-aa61-4cbd-a351-df435c8fe5c2}
obj[15]=Regkey : interface\{cc61280d-617c-4007-9d21-3f6f7bba81fe}
obj[16]=Regkey : typelib\{c7281808-f7c3-4bed-940f-40b9fd5784b6}
obj[37]=Regkey : interface\{080c3ec1-ab54-40f3-88be-e6face068cf0}

TRACKING COOKIE

obj[22]=IECache Entry : Cookie:ja@real.com/
obj[23]=IECache Entry : Cookie:ja@2o7.net/
obj[24]=IECache Entry : Cookie:ja@zedo.com/
obj[25]=IECache Entry : Cookie:ja@atdmt.com/
obj[26]=IECache Entry : Cookie:ja@adbrite.com/
obj[27]=IECache Entry : Cookie:ja@mediaplex.com/
obj[28]=IECache Entry : Cookie:ja@media.fastclick.net/
obj[29]=IECache Entry : Cookie:ja@doubleclick.net/
obj[30]=IECache Entry : Cookie:ja@overture.com/
obj[31]=IECache Entry : Cookie:ja@goclick.com/
obj[32]=IECache Entry : Cookie:ja@fastclick.net/
obj[33]=IECache Entry : Cookie:ja@microsoftwlmessengermkt.112.2o7.net/
obj[34]=IECache Entry : Cookie:ja@questionmarket.com/



Don't know how to open report file in AVG anti virus.it will be there in the next post


Here is the hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 5:42:53 PM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video Access ActiveX Object\isadd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




Other scans pereformed-
Lavasoft Look2me and Virtimundo removers-nothing found
CwsShredder- nothing found

Not removed

Spybot


Win32.Agent.yr: Settings (Registry value, nothing done)- !!!!!!!!!!!!!!


WINDOWS fIREWALL IS TURNED ON, but will be replaced with a better solution.

Online scans will be done if it is needed
This is not my computer
So please consider that- the owner will be present shortly-
I was cleaning what I could

Thanks!

Edited by darkoskc, 05 March 2007 - 12:59 PM.


BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 05 March 2007 - 01:02 PM

Welcome to BleepingComputer darkoskc :thumbsup:

My name is Richie and I'll be helping you to remove the malware from your system.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

*********************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Posted Image
Posted Image

#3 darkoskc

darkoskc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 05 March 2007 - 01:23 PM

We'll do
In the meanwhile these are AVG Anti-virus results



"General properties";""
"Report name";"Complete Test"
"Object summary";""
"Scanned";"28821"
"Threats Found";"2"
"Cleaned";"0"
"Moved to vault";"0"
"Deleted";"2"
"Errors";"0"
"Boot sector of disk C:";"Change";"Changed"
"C:\WINDOWS\system32\geplxss.dll";"";"Deleted"
"C:\Documents and Settings\Ja\Local Settings\Temp\lafC.tmp";"";"Deleted


"General properties";""
"Report name";"Complete Test"
"Start time";"3/5/2007 12:27:08 PM"
"End time";"3/5/2007 2:42:46 PM (total: 2:15:37.4 hrs)"
"Launch method";"Scanning launched manually"
"Scanning result";"Threats found"
"Report status";"Scanning completed successfully"
" ";""
"Object summary";""
"Scanned";"28821"
"Threats Found";"2"
"Cleaned";"0"
"Moved to vault";"0"
"Deleted";"2"
"Errors";"0"
"Boot sector of disk C:";"Change";"Changed"
"C:\WINDOWS\system32\geplxss.dll";"";"Deleted"
"C:\Documents and Settings\Ja\Local Settings\Temp\lafC.tmp";"";"Deleted"

thanks
Results - in 3 minutes

#4 darkoskc

darkoskc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 05 March 2007 - 01:37 PM

Cleaning done with ATF

This is the SmitfraudFix log







SmitFraudFix v2.147

Scan done at 19:29:16.09, Mon 03/05/2007
Run from C:\Documents and Settings\Ja\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Ja


C:\Documents and Settings\Ja\Application Data


Start Menu





Desktop


C:\Program Files

C:\Program Files\Video Access ActiveX Object\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aed6f6a3-183c-488d-9f90-23db99f56e7f}"="apathies"

[HKEY_CLASSES_ROOT\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\WINDOWS\system32\geplxss.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\WINDOWS\system32\geplxss.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32


Scanning wininet.dll infection


End

Edited by darkoskc, 05 March 2007 - 01:39 PM.


#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 05 March 2007 - 02:06 PM

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report,and a new Hijack This log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#6 darkoskc

darkoskc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 05 March 2007 - 02:10 PM

Report in 3 minutes
Thanks

#7 darkoskc

darkoskc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 05 March 2007 - 02:38 PM

Sorry for the delay
Here are the logs

SmitFraudFix v2.147

Scan done at 20:19:07.67, Mon 03/05/2007
Run from C:\Documents and Settings\Ja\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aed6f6a3-183c-488d-9f90-23db99f56e7f}"="apathies"

[HKEY_CLASSES_ROOT\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\WINDOWS\system32\geplxss.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\WINDOWS\system32\geplxss.dll"


Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End




The second one




Logfile of HijackThis v1.99.1
Scan saved at 8:30:29 PM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




It is running fairly Ok. (the PC)
No indication of anything bad.

Edited by darkoskc, 05 March 2007 - 02:41 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 05 March 2007 - 03:02 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
Exit Hijackthis.

***********************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aed6f6a3-183c-488d-9f90-23db99f56e7f}"=-
[-HKEY_CLASSES_ROOT\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}]


Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
Also post a new Hijackthis log please,let me know how your pc is running now.
Posted Image
Posted Image

#9 darkoskc

darkoskc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 05 March 2007 - 03:05 PM

Ok.
Thanks
reports in few minutes

#10 darkoskc

darkoskc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 05 March 2007 - 05:22 PM

Sorry, but this is a very slow PC, it took a long time
Hijackthis log will be included in the next post
PC is running OK.





Scan report generated at: Mon, Mar 05, 2007 - 23:10:38









Scan path: A:\;C:\;D:\;E:\;















Statistics

Time


01:27:23

Files


65855

Folders


1925

Boot Sectors


3

Archives


2006

Packed Files


3772







Results

Identified Viruses


0

Infected Files


0

Suspect Files


1

Warnings


0

Disinfected


0

Deleted Files


1







Engines Info

Virus Definitions


402840

Engine build


AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\System Volume Information\_restore{13060EA1-64DB-400F-A14F-6B80C38BA114}\RP6\A0000742.DLL


Suspected of: Generic.Malware.dld!.35EA3C1F

C:\System Volume Information\_restore{13060EA1-64DB-400F-A14F-6B80C38BA114}\RP6\A0000742.DLL


Disinfection failed

C:\System Volume Information\_restore{13060EA1-64DB-400F-A14F-6B80C38BA114}\RP6\A0000742.DLL


Deleted

#11 darkoskc

darkoskc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 05 March 2007 - 05:27 PM

this is the Hijackthis LOg

Logfile of HijackThis v1.99.1
Scan saved at 11:22:43 PM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




Bd Log don't have D partition (films and music...etc) and it was taking far too long 1: 25 h


Thanks

Edited by darkoskc, 05 March 2007 - 05:30 PM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 05 March 2007 - 05:38 PM

I cannot see any signs of a firewall on your system.
Possibly its because you're using the Windows Firewall or a hardware firewall,or maybe you have it disabled.
If you don't use any firewall at all,you should download and install one of the following right away:

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/
Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe
Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/

******************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
Exit Hijackthis.

******************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections.
How did I get infected? by Grinler:
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Posted Image
Posted Image

#13 darkoskc

darkoskc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 05 March 2007 - 05:44 PM

Windows Firewall is On
But it will be replaced

Ok.
Thanks for everything
and thanks for links

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 05 March 2007 - 05:50 PM

You're most welcome :thumbsup:

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users