help on hijackthis

edo · 05-26-2006, 09:32 AM

Hi, I am helping my neighbour on his computer, I tried to install norton antivirus 2005 but I can't seem to do it.
I removed all the components and then restarted in safe mode but it still won't let me so I decided to do a Kaspersky scan and there's alot of viruses, I think that may be why it won't install.
Anyway, I'll also post the hijack this log here and when all is fixed I will try again and if that doesn't work I'll post on the software thread in this forum.
Anyway let's try to get all the virusses out first, and then we'll see.
Ow by the way the reason that Norton won't load it says is error message 9999,171.
But I did everything they said on their trouble shooting page and I think it must be because of the virusses.
I will download and run Ewido while I am waiting for your reply.
thanks in advance,
Also there is this annoying pop-up blocker (so-called) called Spyware Doctor I think that might be mal-ware too.
Edo

Kaspersky log:
[KASPERSKY ON-LINE SCANNER REPORT
Friday, May 26, 2006 8:17:49 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 26/05/2006
Kaspersky Anti-Virus database records: 184608

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 65759
Number of viruses found 12
Number of infected objects 19
Number of suspicious objects 0
Duration of the scan process 12:56:49

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\068B35E5.dll Infected: Virus.Win32.Nsag.b skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\123F1DF9.exe Infected: Trojan.Win32.Small.ev skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EA45867.cla Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FED4DEE.tmp Infected: Trojan.Java.ClassLoader.d skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34553A6B.dll Infected: Trojan.Win32.P2E.bt skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34586467.exe Infected: Trojan.Win32.P2E.bs skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4ADC4E5D.tmp Infected: Trojan.Java.ClassLoader.h skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.cla Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip ZIP: infected - 3 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip CryptFF: infected - 3 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\610C5541.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\718F5942.exe Infected: Trojan-Downloader.Win32.Harnig.bq skipped

C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-1102117c-5e60a5b9.class Infected: Trojan-Downloader.Java.OpenStream.y skipped

C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-2deaed43-55ecf01c.class Infected: Trojan-Downloader.Java.OpenStream.y skipped

C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv798.jar-32a38fa0-384b200e.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped

C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv798.jar-32a38fa0-384b200e.zip ZIP: infected - 1 skipped

Scan process completed.
]

Hijackthis log:
[Logfile of HijackThis v1.99.1
Scan saved at 8:22:41 AM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rociosdesign.com/?Enter=Website CLICK YES TO ENTER WEBSITE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C7E3117C9AA975760EA83FA5EF80752B94E3D87A597E422B3EC3 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zang...6fcf10f63fa780
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

]

alba · 05-26-2006, 11:50 AM

Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

regards
alba

alba · 05-26-2006, 04:22 PM

Hi ya edo

This is a legitimate Program see Here
to find out more about it

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

=================

Please download Ewido Anti-Malware

Install ewido anti-malware
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

=================

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/MediaGateway.BFU

Make sure all IE windows are closed.

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

===============================================

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

==============================================

Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

===============================================

Un-installing Programmes

From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :

MyWebSearch

=================

Fixing Entries with HijackThis

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zang...6fcf10f63fa780

Please remember to close all other windows, including browsers then click Fix checked.

===============================================

Deleting Files/Folders

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\Program Files\MyWebSearch

=================

Purging Temp Folders

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK
Press the CleanUp! button to start the program. Once it's finished Cleanup will ask you to logoff/reboot. Please select NO as we will do this later.

=================

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

===============================================

REBOOT TO NORMAL MODE

Establish an internet connection

Please use Symantec's guide to remove quarantined files.

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
- http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
  Downloaded Applications
  Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

=================

Running Additional Scanners

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

=================

I see you have msconfig enabled. This may prevent us from seeing everything running on your system. Please re-enable all startup items.

Go to Start>Run type msconfig and press Enter.

Select Normal Startup - Load all Device Drivers and Services

Reboot.

Run a new HijackThis scan. Save the log file and post it here.

===============================================

In your next post, please include fresh logs from:

Ewido
Online scan
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

edo · 05-27-2006, 08:43 PM

I did almost everything except:
I haven't been able to open the Norton antivirus, but I did find 2 parts thereof, one in C: and one in C:program files, maybe i need to delete them both and start installation afresh?

ewido:
[---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:17:24 PM, 5/27/2006
+ Report-Checksum: FEC8B3AF

+ Scan result:

C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv798.jar-32a38fa0-384b200e.zip/Matrix.class -> Downloader.OpenStream.c : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv798.jar-32a38fa0-384b200e.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Program Files\Zango\zango.exe -> Adware.180Solutions : Cleaned with backup
C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll -> Adware.Agent : Cleaned with backup
C:\Program Files\Zango Programs\Zango Toolbar\ZangoTBUninstaller.exe -> Adware.180Solutions : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Adware.180Solutions : Cleaned with backup

::Report End]

online panda scan:
[
Incident Status Location

Adware:adware/secure32 Not disinfected c:\program files\secure32.html
Dialer:dialer.b Not disinfected c:\windows\downloaded program files\EGAUTH.inf
Adware:adware/quicksearch Not disinfected c:\windows\downloaded program files\Install.inf
Adware:adware/gator Not disinfected c:\windows\GatorPdpLoudInstaller.log
Adware:adware program Not disinfected c:\windows\ss3unstl.exe
Potentially unwanted tool:application/anti-virus-pro Not disinfected c:\program files\Anti-Virus-Pro
Potentially unwanted tool:application/zango Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Zango Toolbar
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/ncase Not disinfected Windows Registry
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
]

hijackthis log:
[Logfile of HijackThis v1.99.1
Scan saved at 7:40:57 PM, on 5/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rociosdesign.com/?Enter=Website CLICK YES TO ENTER WEBSITE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: .protected
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: .protected
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

]

alba · 05-28-2006, 02:58 PM

Hi ya edo

----------- We should leave this until you are clean, but you would be better getting rid of all traces of Norton then do a re-install

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't good at all. They collect information about you and your usage. We recommend uninstalling it.

===============================================

Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

===============================================

Un-installing Programmes

From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :

WildTangent
Anti-Virus-Pro
Zango

=================

Fixing Entries with HijackThis

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Please remember to close all other windows, including browsers then click Fix checked.

===============================================

Deleting Files/Folders

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\Program Files\WildTangent
C:\PROGRA~1\MYWEBS~1
c:\program files\Anti-Virus-Pro
C:\Program Files\Zango
C:\Program Files\Zango Programs

Locate and delete the following files:

c:\program files\secure32.html
c:\windows\GatorPdpLoudInstaller.log
c:\windows\ss3unstl.exe

Search for & delete ... using Start> Search... the following files:

ALCXMNTR.EXE

=================

Go to Start > Run and type: regsvr32 /u occache.dll and click 'OK'.

Delete the following:

c:\windows\downloaded program files\EGAUTH.inf

c:\windows\downloaded program files\Install.inf

Go to Start > Run and type: regsvr32 occache.dll and click 'OK'.

=================

Open Internet Explorer

Click >Tools> Internet Options

Then click on Delete cookies, delete Files and clear history

===============================================

Please do the following

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK

REGEDIT4

[-hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}]

[-hkey_local_machine\software\microsoft\windows\curr entversion\uninstall\Zango Toolbar]

Please download the file attached - edofix.zip
From within edofix.zip, doubleclick edofix.reg & allow it to merge with the Registry

=================

REBOOT TO NORMAL MODE

=================

Running Additional Scanners

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:

From the left pane, click Options
Select the Sweep Options tab & ensure the following are ticked:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All Users accounts
- Do Not Sweep System Restore Folder
- Enable Direct Disk Sweeping
- Sweep For Rootkits
After that's done, select Sweep from the left pane & click on the Start button
Allow Spysweeper to reboot your machine to remove the infected files.

*Note* If you want a log from the program add this at the end.

After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

=================

Please Run a scan with HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:

Online scan
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

edo · 05-29-2006, 01:00 PM

the ccleaner messed up some stuff on load up I think, cause it says:
File: protected open with...
Also it says:
WTSocketwindow: gamechannel.exe qpplication error
the instruction at "0x00404f67" referenced memory at "0x00000005c" the memory vcould not be read
And:
Rundll:
error loading C:\progra~1\mywebs~1\bar\1bin\mwsbar.dll
specified module could not be found
anti-virus-pro, could not be found,
zango could not be removed.
Hijack this, 04...gamechannel could not be found
C:\progra~1 could not be found;

c:\windows\downloaded program files\EGAUTH.inf
c:\windows\downloaded program files\Install.inf
could not be found

This following line what do I do with that, make a new notepad doc and save these lines in there?
REGEDIT4

[-hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}]

[-hkey_local_machine\software\microsoft\windows\curr entversion\uninstall\Zango Toolbar]?

Ok I did all that but forgot to start in safe mode is that a problem?

Ok, here are the webroot results:
[********
11:22 AM: | Start of Session, Monday, May 29, 2006 |
11:22 AM: Spy Sweeper started
11:22 AM: Sweep initiated using definitions version 686
11:22 AM: Starting Memory Sweep
11:26 AM: Memory Sweep Complete, Elapsed Time: 00:03:05
11:26 AM: Starting Registry Sweep
11:26 AM: Found Adware: 180search assistant/zango
11:26 AM: HKCR\lmgr180.wmdrmax.1\ (3 subtraces) (ID = 1151708)
11:26 AM: HKLM\software\classes\lmgr180.wmdrmax.1\ (3 subtraces) (ID = 1151753)
11:26 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/saix.dll\ (2 subtraces) (ID = 1156667)
11:26 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\saix.dll (ID = 1156675)
11:26 AM: Registry Sweep Complete, Elapsed Time:00:00:12
11:26 AM: Starting Cookie Sweep
11:26 AM: Found Spy Cookie: pointroll cookie
11:26 AM: compaq_owner@ads.pointroll[2].txt (ID = 3148)
11:26 AM: Found Spy Cookie: apmebf cookie
11:26 AM: compaq_owner@apmebf[2].txt (ID = 2229)
11:26 AM: Found Spy Cookie: mediaplex cookie
11:26 AM: compaq_owner@mediaplex[1].txt (ID = 6442)
11:26 AM: Found Spy Cookie: qksrv cookie
11:26 AM: compaq_owner@qksrv[2].txt (ID = 3213)
11:26 AM: Found Spy Cookie: tribalfusion cookie
11:26 AM: compaq_owner@tribalfusion[1].txt (ID = 3589)
11:26 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
11:26 AM: Starting File Sweep
2:40 PM: Found Adware: instant access
2:40 PM: svcsysnet32.inf (ID = 63912)
2:40 PM: egauth.inf (ID = 63700)
2:40 PM: Found Adware: screensavers
2:40 PM: sinstaller.inf (ID = 74756)
2:42 PM: File Sweep Complete, Elapsed Time: 03:15:48
2:42 PM: Full Sweep has completed. Elapsed time 03:19:10
2:42 PM: Traces Found: 20
2:45 PM: Removal process initiated
2:45 PM: Quarantining All Traces: 180search assistant/zango
2:45 PM: Quarantining All Traces: instant access
2:45 PM: Quarantining All Traces: screensavers
2:45 PM: Quarantining All Traces: apmebf cookie
2:45 PM: Quarantining All Traces: mediaplex cookie
2:45 PM: Quarantining All Traces: pointroll cookie
2:45 PM: Quarantining All Traces: qksrv cookie
2:45 PM: Quarantining All Traces: tribalfusion cookie
2:45 PM: Removal process completed. Elapsed time 00:00:04
********
11:19 AM: | Start of Session, Monday, May 29, 2006 |
11:19 AM: Spy Sweeper started
11:20 AM: Your spyware definitions have been updated.
11:22 AM: | End of Session, Monday, May 29, 2006 |
]

Online scan:
[
Incident Status Location

Adware:adware/quicksearch Not disinfected c:\windows\downloaded program files\Install.inf
Adware:adware/secure32 Not disinfected c:\windows\warnhp.html
Potentially unwanted tool:application/anti-virus-pro Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Anti-Virus-Pro
Potentially unwanted tool:application/zango Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Zango Toolbar
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\
Possible Virus. Not disinfected C:\BLSInfo\Launch.exe
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt
]
Hijack this log:
[Logfile of HijackThis v1.99.1
Scan saved at 2:58:51 PM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rociosdesign.com/?Enter=W...NTER%20WEBSITE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: .protected
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: .protected
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

]

alba · 05-30-2006, 01:36 AM

Hi edo

Quote:

This following line what do I do with that, make a new notepad doc and save these lines in there?
REGEDIT4

[-hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}]

[-hkey_local_machine\software\microsoft\windows\curr entversion\uninstall\Zango Toolbar]?

Sorry that is what is inside the edofix I asked you to download and merge into the registry, I should have removed that bit before I posted to you

?did you do that

alba · 05-30-2006, 10:32 AM

hi edo

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================
Please disable the following programs as they may interfere with the fix, you can re-enable them once we are finished.

Spyware Doctor

* From within Spyware Doctor, click the "OnGuard" button on the left side.
* Uncheck "Activate OnGuard".

SpySweeper

* Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
* On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
* Uncheck "automatically restore default without notification".
* Exit the program.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

========================

Please run the BFu again using the following instructions

Run the program and click the Web button as shown here:

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/MediaGateway.BFU

Make sure all IE windows are closed.

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

===============================================

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!
========================

Important
Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

===============================================

Deleting Files/Folders

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\Documents and Settings\Compaq_Owner\Application Data\Anti-Virus-Pro

Go to Start > Run and copy and paste: regsvr32 /u occache.dll

Locate and delete the following files:

c:\windows\warnhp.html
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick
c:\windows\downloaded program files\Install.inf

Go to Start > Run and copy and paste: regsvr32 occache.dll into the command box and click 'OK'.

==============================

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Please download the file attached-edofix2.zip
From within edofix2.zip, doubleclick edofix2.reg & allow it to merge with the Registry

=========================================

REBOOT TO NORMAL MODE

I'd also like to see the following list:

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and paste the List from the notebook here.

==============================

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

=================

Please Run a scan with HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:

smitfraudfix text
Online scan
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

edo · 05-30-2006, 07:40 PM

Alright I did everything right, ecept the doubleclick i removed was called doubleclick[1].
Ehm it still told me on startup a file called ".protected" could not be opened.

Alright, here are the logs:
Hijackthis:
[Logfile of HijackThis v1.99.1
Scan saved at 9:03:14 PM, on 5/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\nda.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rociosdesign.com/?Enter=W...NTER%20WEBSITE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: .protected
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: .protected
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

]
smithfraud:
[SmitFraudFix v2.52

Scan done at 20:44:19.48, Tue 05/30/2006
Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\uniq FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !
C:\WINDOWS\warnhp.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\COMPAQ~1\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COMPAQ~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

]
and online scan:
[
Incident Status Location

Potentially unwanted tool:application/zango Not disinfected hkey_local_machine\software\Zango Programs
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\
Possible Virus. Not disinfected C:\BLSInfo\Launch.exe
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Possible Virus. Not disinfected C:\Program Files\Easy Internet signup\aolcredits\hpCreditsFall04.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\S-1-5-21-631884264-2323059169-2815560549-500\Dc3.txt
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Possible Virus. Not disinfected E:\WINNT\Setup\asCore\Options\EmlOpts.dll
]

alba · 05-31-2006, 10:21 AM

Hi edo

We are nearly there now

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

=================

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

=================

Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following keys by clicking the + sign next to each category to expand them. Continue doing so until you've reached the file/folder/entry I highlighted in RED Right click and select 'delete'.

hkey_local_machine\software\Zango Programs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\

If the above registry keys are giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

=================

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

=================

Clean out your Temporary Internet files.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK
Press the CleanUp! button to start the program. Once it's finished Cleanup will ask you to logoff/reboot. Please select NO as we will do this later.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

=================

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

Click on Scanner
Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
Click on Complete System Scan to start the scan process.
Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

Click Save Report button
Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.

=================

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

=================

Once you reboot......

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

=================

Then post the following logs in your next reply...

Panda log
Hijackthis log
Ewido log
C:\rapport.txt (log from the tool)

edo · 06-01-2006, 03:53 PM

Hi I did everything you said, all went right, except forunder start/control panel/display/desktop there were no checked entries at all, so no security info there or anything.
Ok, her e are the logs:
active scan:
[
Incident Status Location

Possible Virus. Not disinfected C:\BLSInfo\Launch.exe
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Possible Virus. Not disinfected C:\Program Files\Easy Internet signup\aolcredits\hpCreditsFall04.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Possible Virus. Not disinfected E:\WINNT\Setup\asCore\Options\EmlOpts.dll
]
Hijackthis log:
[Logfile of HijackThis v1.99.1
Scan saved at 5:49:35 PM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

]
Ewido log:
[---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:43:25 PM, 6/1/2006
+ Report-Checksum: AFE1B254

+ Scan result:

C:\RECYCLER\S-1-5-21-631884264-2323059169-2815560549-500\Dc3.txt -> TrackingCookie.Doubleclick : Cleaned with backup

::Report End]

And the result from the tool:
[SmitFraudFix v2.52

Scan done at 14:47:15.51, Thu 06/01/2006
Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\uniq Deleted
C:\WINDOWS\.protected Deleted
C:\DOCUME~1\COMPAQ~1\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

]
Thank you.

alba · 06-02-2006, 12:41 PM

hi edo

Please delete all the cookies from here
C:\Documents and Settings\Compaq_Owner\Cookies\

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

edo · 06-02-2006, 03:23 PM

Yay!
I think I got it all clean.
The cannot install ".protected" has not popped up.
I have installed Norton 2005 now.
It's great.
You guys are definately on my Christmas list!
Just one more thing....
What does "Go raibh maith agut " mean?
:D

greyknight17 · 06-03-2006, 02:44 PM

Quote:

Originally Posted by edo

What does "Go raibh maith agut " mean?:D

It means Thank You in Irish.

05-26-2006, 09:32 AM	#1 (permalink)
edo Registered User Join Date: Oct 2005 Posts: 70 OS: xp	help on hijackthis Hi, I am helping my neighbour on his computer, I tried to install norton antivirus 2005 but I can't seem to do it. I removed all the components and then restarted in safe mode but it still won't let me so I decided to do a Kaspersky scan and there's alot of viruses, I think that may be why it won't install. Anyway, I'll also post the hijack this log here and when all is fixed I will try again and if that doesn't work I'll post on the software thread in this forum. Anyway let's try to get all the virusses out first, and then we'll see. Ow by the way the reason that Norton won't load it says is error message 9999,171. But I did everything they said on their trouble shooting page and I think it must be because of the virusses. I will download and run Ewido while I am waiting for your reply. thanks in advance, Also there is this annoying pop-up blocker (so-called) called Spyware Doctor I think that might be mal-ware too. Edo Kaspersky log: [KASPERSKY ON-LINE SCANNER REPORT Friday, May 26, 2006 8:17:49 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 26/05/2006 Kaspersky Anti-Virus database records: 184608 Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan Statistics Total number of scanned objects 65759 Number of viruses found 12 Number of infected objects 19 Number of suspicious objects 0 Duration of the scan process 12:56:49 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\068B35E5.dll Infected: Virus.Win32.Nsag.b skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\123F1DF9.exe Infected: Trojan.Win32.Small.ev skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EA45867.cla Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FED4DEE.tmp Infected: Trojan.Java.ClassLoader.d skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34553A6B.dll Infected: Trojan.Win32.P2E.bt skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34586467.exe Infected: Trojan.Win32.P2E.bs skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4ADC4E5D.tmp Infected: Trojan.Java.ClassLoader.h skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.cla Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip ZIP: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61092B45.zip CryptFF: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\610C5541.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\718F5942.exe Infected: Trojan-Downloader.Win32.Harnig.bq skipped C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-1102117c-5e60a5b9.class Infected: Trojan-Downloader.Java.OpenStream.y skipped C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-2deaed43-55ecf01c.class Infected: Trojan-Downloader.Java.OpenStream.y skipped C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv798.jar-32a38fa0-384b200e.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv798.jar-32a38fa0-384b200e.zip ZIP: infected - 1 skipped Scan process completed. ] Hijackthis log: [Logfile of HijackThis v1.99.1 Scan saved at 8:22:41 AM, on 5/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rociosdesign.com/?Enter=Website CLICK YES TO ENTER WEBSITE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C7E3117C9AA975760EA83FA5EF80752B94E3D87A597E422B3EC3 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zang...6fcf10f63fa780 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe ] Last edited by edo; 05-26-2006 at 09:46 AM. Reason: forgot something

05-26-2006, 11:50 AM	#2 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hi there and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". regards alba __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

05-26-2006, 04:22 PM	#3 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hi ya edo This is a legitimate Program see Here to find out more about it Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== Additional Downloads Please download these additional files/programs. Do not run them until instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. ================= Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe ================= Please download Ewido Anti-Malware Install ewido anti-malware When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido The program will now open to the main screen. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display ("Update successful") Exit Ewido, do not run the scan yet! If you are having problems with the updater, you can use this link to manually update ewido. ewido manual updates ================= Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip Run the program and click the Web button as shown here: Use this URL to copy into the address bar of the Download script window: http://metallica.geekstogo.com/MediaGateway.BFU Make sure all IE windows are closed. Execute the script by clicking the Execute button. If you have any questions about the use of BFU please read here: http://metallica.geekstogo.com/BFUinstructions.html =============================================== 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING ============================================== Next, reboot your computer in SafeMode : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. =============================================== Un-installing Programmes From Control Panel->Add/Remove Programs, uninstall the following programs, if present, : MyWebSearch ================= Fixing Entries with HijackThis Run a scan with HiJackThis & select/tick the following & click "Fix checked" : R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zang...6fcf10f63fa780 *Please remember to close all other windows, including browsers then click Fix checked.* =============================================== Deleting Files/Folders If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Tick - Show hidden files and folder Untick - Hide file extensions for known types Untick - Hide protected operating system files Click Yes to confirm & then click OK Locate and delete the following folders, if present: C:\Program Files\MyWebSearch ================= Purging Temp Folders Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files”* and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK Press the CleanUp! button to start the program. Once it's finished Cleanup will ask you to logoff/reboot. Please select NO as we will do this later. ================= Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. =============================================== REBOOT TO NORMAL MODE Establish an internet connection Please use Symantec's guide to remove quarantined files. Updating Java and Clearing Cache Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel. It will say "Java Plug-in" under the icon. If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options' Please find the Update button or tab in the Java Control Panel. Update your Java then reboot. If you are unable to update you can manually update by going here: http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. ================= Running Additional Scanners Perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan ================= I see you have msconfig enabled. This may prevent us from seeing everything running on your system. Please re-enable all startup items. Go to Start>Run type msconfig and press Enter. Select Normal Startup - Load all Device Drivers and Services Reboot. Run a new HijackThis scan. Save the log file and post it here. =============================================== In your next post, please include fresh logs from: Ewido Online scan HiJackThis Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

05-31-2006, 10:21 AM	#10 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hi edo We are nearly there now Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ================= Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. ================= Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following keys by clicking the + sign next to each category to expand them. Continue doing so until you've reached the file/folder/entry I highlighted in RED Right click and select 'delete'. hkey_local_machine\software\Zango Programs HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ If the above registry keys are giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. ================= Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ================= Clean out your Temporary Internet files. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files”* and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK Press the CleanUp! button to start the program. Once it's finished Cleanup will ask you to logoff/reboot. Please select NO as we will do this later. Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. ================= Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan. Click on Scanner Click on Settings Under How to scan all boxes should be checked Under Unwanted Software all boxes should be checked Under What to scan select Scan every file Click on Ok Click on Complete System Scan to start the scan process. Let the program scan the machine. If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok. Once the scan has completed, there will be a button located on the bottom of the screen named Save Report. Click Save Report button Save the report to your Desktop Close Ewido and Reboot in Normal Mode. ================= Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ================= Once you reboot...... Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report ================= Then post the following logs in your next reply... Panda log Hijackthis log Ewido log C:\rapport.txt (log from the tool) __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

06-02-2006, 12:41 PM	#12 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	hi edo Please delete all the cookies from here C:\Documents and Settings\Compaq_Owner\Cookies\ Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder) Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

05-27-2006, 08:43 PM	#4 (permalink)
edo Registered User Join Date: Oct 2005 Posts: 70 OS: xp	I did almost everything except: I haven't been able to open the Norton antivirus, but I did find 2 parts thereof, one in C: and one in C:program files, maybe i need to delete them both and start installation afresh? ewido: [--------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 2:17:24 PM, 5/27/2006 + Report-Checksum: FEC8B3AF + Scan result: C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv798.jar-32a38fa0-384b200e.zip/Matrix.class -> Downloader.OpenStream.c : Cleaned with backup C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv798.jar-32a38fa0-384b200e.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup C:\Program Files\Zango\zango.exe -> Adware.180Solutions : Cleaned with backup C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll -> Adware.Agent : Cleaned with backup C:\Program Files\Zango Programs\Zango Toolbar\ZangoTBUninstaller.exe -> Adware.180Solutions : Cleaned with backup C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Adware.180Solutions : Cleaned with backup ::Report End] online panda scan: [ Incident Status Location Adware:adware/secure32 Not disinfected c:\program files\secure32.html Dialer:dialer.b Not disinfected c:\windows\downloaded program files\EGAUTH.inf Adware:adware/quicksearch Not disinfected c:\windows\downloaded program files\Install.inf Adware:adware/gator Not disinfected c:\windows\GatorPdpLoudInstaller.log Adware:adware program Not disinfected c:\windows\ss3unstl.exe Potentially unwanted tool:application/anti-virus-pro Not disinfected c:\program files\Anti-Virus-Pro Potentially unwanted tool:application/zango Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Zango Toolbar Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239} Adware:adware/ncase Not disinfected Windows Registry Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.pointroll[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@qksrv[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe ] hijackthis log: [Logfile of HijackThis v1.99.1 Scan saved at 7:40:57 PM, on 5/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\WildTangent\Apps\GameChannel.exe C:\WINDOWS\system32\RUNDLL32.exe C:\Program Files\QuickTime\qttask.exe C:\HP\KBD\KBD.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\wscntfy.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\SPYWAR~2\swdoctor.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe C:\Program Files\Greetings Workshop\GWREMIND.EXE C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rociosdesign.com/?Enter=Website CLICK YES TO ENTER WEBSITE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Startup: .protected O4 - Startup: Compaq Organize.lnk = ? O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE O4 - Global Startup: .protected O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe ]

05-30-2006, 07:40 PM	#9 (permalink)
edo Registered User Join Date: Oct 2005 Posts: 70 OS: xp	Alright I did everything right, ecept the doubleclick i removed was called doubleclick[1]. Ehm it still told me on startup a file called ".protected" could not be opened. Alright, here are the logs: Hijackthis: [Logfile of HijackThis v1.99.1 Scan saved at 9:03:14 PM, on 5/30/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\QuickTime\qttask.exe C:\HP\KBD\KBD.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\nda.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rociosdesign.com/?Enter=W...NTER%20WEBSITE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Startup: .protected O4 - Startup: Compaq Organize.lnk = ? O4 - Global Startup: .protected O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe ] smithfraud: [SmitFraudFix v2.52 Scan done at 20:44:19.48, Tue 05/30/2006 Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ C:\uniq FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\.protected FOUND ! C:\WINDOWS\warnhp.html FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu C:\DOCUME~1\COMPAQ~1\STARTM~1\Programs\Startup\.protected FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COMPAQ~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End ] and online scan: [ Incident Status Location Potentially unwanted tool:application/zango Not disinfected hkey_local_machine\software\Zango Programs Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ Possible Virus. Not disinfected C:\BLSInfo\Launch.exe Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\Process.exe Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Possible Virus. Not disinfected C:\Program Files\Easy Internet signup\aolcredits\hpCreditsFall04.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\SmitfraudFix.zip[SmitfraudFix/Process.exe] Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\S-1-5-21-631884264-2323059169-2815560549-500\Dc3.txt Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Possible Virus. Not disinfected E:\WINNT\Setup\asCore\Options\EmlOpts.dll ]

06-01-2006, 03:53 PM	#11 (permalink)
edo Registered User Join Date: Oct 2005 Posts: 70 OS: xp	Hi I did everything you said, all went right, except forunder start/control panel/display/desktop there were no checked entries at all, so no security info there or anything. Ok, her e are the logs: active scan: [ Incident Status Location Possible Virus. Not disinfected C:\BLSInfo\Launch.exe Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.pointroll[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@qksrv[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\Process.exe Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Possible Virus. Not disinfected C:\Program Files\Easy Internet signup\aolcredits\hpCreditsFall04.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\SmitfraudFix.zip[SmitfraudFix/Process.exe] Possible Virus. Not disinfected E:\WINNT\Setup\asCore\Options\EmlOpts.dll ] Hijackthis log: [Logfile of HijackThis v1.99.1 Scan saved at 5:49:35 PM, on 6/1/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\HP\KBD\KBD.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Startup: Compaq Organize.lnk = ? O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe ] Ewido log: [--------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 4:43:25 PM, 6/1/2006 + Report-Checksum: AFE1B254 + Scan result: C:\RECYCLER\S-1-5-21-631884264-2323059169-2815560549-500\Dc3.txt -> TrackingCookie.Doubleclick : Cleaned with backup ::Report End] And the result from the tool: [SmitFraudFix v2.52 Scan done at 14:47:15.51, Thu 06/01/2006 Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\uniq Deleted C:\WINDOWS\.protected Deleted C:\DOCUME~1\COMPAQ~1\STARTM~1\Programs\Startup\.protected Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End ] Thank you.

06-02-2006, 03:23 PM	#13 (permalink)
edo Registered User Join Date: Oct 2005 Posts: 70 OS: xp	Yay! I think I got it all clean. The cannot install ".protected" has not popped up. I have installed Norton 2005 now. It's great. You guys are definately on my Christmas list! Just one more thing.... What does "Go raibh maith agut " mean? :D