Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I had the smitfraud.c virus plus others [RESOLVED]

Started by kodief , Aug 05 2005 07:40 AM

  • This topic is locked This topic is locked

#1
kodief
Posted 05 August 2005 - 07:40 AM

kodief

    Member

  • Member
  • PipPip
  • 12 posts
I had the smitfraud.c virsus among about 15 others that AVG found and fixed.

Could one of you experts look at my HijackThis log to see if I have completely removed all the virsues or if I still need to do a little cleanup?

Thanks a million! This site rocks. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 7:08:32 PM, on 8/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\VIRUS CRAP\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SBPCISetup] C:\SBPCI\sbsetup.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [LOCMGRT] C:\WINDOWS\SYSTEM\LOCMGRT.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Local runole service] C:\WINDOWS\System\srvc32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\Services\{5D7D7D20-BBFF-11D9-9F04-444553540001}\SVCHOST.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\RunServices: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\RunServices: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: Dialpad Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} (Yahoo! Voicemail Engine) - http://phone.yahoo.c...gin/yumscom.cab
  • 0

Advertisements

#2
greyknight17
Posted 05 August 2005 - 10:39 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please do not post more than one topic since it relates to this same computer. You bumped your other topic several times also. This does not speed things up. It just delays it. So please be patient as we get a lot of traffic here each and every day. We try to get all the topics answered promptly, but this is not possible. So if anything wait 5 days, if you don't get a reply then bump your topic or create a new topic.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL (file missing)
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [LOCMGRT] C:\WINDOWS\SYSTEM\LOCMGRT.exe
O4 - HKLM\..\Run: [Local runole service] C:\WINDOWS\System\srvc32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\Services\{5D7D7D20-BBFF-11D9-9F04-444553540001}\SVCHOST.EXE

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\WER8274.DLL
c:\installer\id53.exe
C:\WINDOWS\SYSTEM\LOCMGRT.exe
C:\WINDOWS\System\srvc32.exe
C:\WINDOWS\SYSTEM\Services\{5D7D7D20-BBFF-11D9-9F04-444553540001}

Restart and run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart and run a new HijackThis scan. Save the log file and post it here
  • 0

#3
kodief
Posted 05 August 2005 - 10:45 AM

kodief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Sorry about that. I am new to this forum so I was never sure if I was posting it correctly or not. That is why I posted it multiple times. Sorry for the confusion.

I did have one question. Is there an alternative to the online virus scans? I am connected through a modem.

I will follow the instructions and post the result of the Hijack This scan.
  • 0

#4
greyknight17
Posted 05 August 2005 - 02:19 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
That's ok :tazz: Just wanted to make that clear (some other new users may be reading this also and they should know not to do that now ;) ).

Yes, there are other alternatives, but I think they might take about the same time since you will need to download a program (couple of megabytes) to do the scanning. OK, if you want then, skip TrendMicro's scan, but do Panda's scan. Make sure you do one of them at least (preferably Panda).
  • 0

#5
kodief
Posted 06 August 2005 - 10:52 PM

kodief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I removed the items that you mentioned using Hijack This. I then removed the files and folders that you mentioned....most of them were not there.

I then ran Panda Active scan.

Here is the log:

Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:Adware/Tubby No disinfected C:\WINDOWS\SYSTEM\MTC.ini
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
Adware:adware/ipinsight No disinfected C:\WINDOWS\ALCHEM.INI
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\bbchk.exe
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\Lycos\IEagent\CSIE.DLL
Adware:Adware/TopSpyware No disinfected C:\!Submit\spoolsrv32.exe



Here is my new Hijack this Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:26 PM, on 8/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\VIRUS CRAP\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SBPCISetup] C:\SBPCI\sbsetup.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_46214] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 46214
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: Dialpad Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} (Yahoo! Voicemail Engine) - http://phone.yahoo.c...gin/yumscom.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab


Thanks so much for your help! :tazz:
  • 0

#6
greyknight17
Posted 07 August 2005 - 09:09 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Delete these if found:

C:\!Submit\spoolsrv32.exe
C:\Program Files\Lycos\
C:\WINDOWS\ALCHEM.INI
C:\WINDOWS\bbchk.exe
C:\WINDOWS\INF\ALCHEM.INF
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM\MTC.ini

If you are using Windows 95/98 or Windows ME, you MUST do the following steps that are enclosed in the starting and ending double lines before proceeding any further:
========================================================================
Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat

Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/s...sinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.
========================================================================

Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis, Panda ActiveScan, and smitfiles.txt.
  • 0

#7
kodief
Posted 09 August 2005 - 07:20 AM

kodief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I did everything that you asked.

I did have to do one additional thing so that I could do some of the steps. When I booted up the computer initially it stated that it could not find wininet.dll. I downloaded this dll from dll-files.com and put it in the \windows\system folder. I then ran msconfig and found that two lines had been put into the autoexec.bat file. One to change permissions on the file and one to delete it. I removed these two lines temporarily from autoexec.bat. Everything seemed to work ok after that.

Here are the log files:

SmitFraud Fix Log( Ran before I replaced wininet.dll):

smitRem log file
version 2.3

by noahdfear

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system folder ~~~

wininet.dll MISSING!!

~~~ Icons in system folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~ wininet.dll ~~~~

wininet.dll Missing!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system folder ~~~

wininet.dll MISSING!!

~~~ Icons in system folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~ wininet.dll ~~~~

wininet.dll Missing!!




Here is the Panda ActiveScan Log:
Incident Status Location

Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys
Spyware:Spyware/ClearSearch No disinfected C:\RECYCLED\DC1\IEagent\CSIE.DLL
Adware:Adware/IPInsight No disinfected C:\RECYCLED\DC4.INF
Adware:Adware/Tubby No disinfected C:\RECYCLED\DC7.INI




Here is the Find It LOG:

Windows 98 [Version 4.10.2222]

Current date is Mon 08-08-2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.


Volume in drive C has no label
Volume Serial Number is 276F-0AEF
Directory of C:\WINDOWS\SYSTEM32

20,410.20 MB free
»»»»» Checking for SAHAgent ico files.

Volume in drive C has no label
Volume Serial Number is 276F-0AEF
Directory of C:\WINDOWS\SYSTEM32

20,410.20 MB free

»»»»»»»»»»»»»»»»»»»»»»»».




HERE is the new Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:56:10 PM, on 8/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\VIRUS CRAP\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SBPCISetup] C:\SBPCI\sbsetup.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: Dialpad Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} (Yahoo! Voicemail Engine) - http://phone.yahoo.c...gin/yumscom.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab



Thanks for all of your help.
  • 0

#8
greyknight17
Posted 09 August 2005 - 09:16 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I knew something didn't look right in that log :tazz:

Did you follow the steps that I listed for you previously in RED? I wanted you to run that so you can make a backup of that wininet.dll file and then cure it.

I'm not sure if the one you downloaded is the correct version. It's not being detected. See if this will find and replace that file for you:
Go to Start->Run and type in sfc and hit OK. Choose full scan. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

Delete this file if found:

C:\WINDOWS\smdat32a.sys

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.
  • 0

#9
kodief
Posted 09 August 2005 - 09:44 AM

kodief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I did all of the stuff in red but it was after I had rebooted into normal mode and found that the wininet.dll had been deleted.

After finding that it had been deleted, I booted into safe mode, ran the smitfraud fix, deleted the listed files listed.

I then tried to do what was in red but realized that the file had already been deleted and was gone. At this point I got the new dll, ran msconfig so it didn't get deleted again and then proceded to do the internet scans.

So in effect I basically made a copy of the wininet.dll that I downloaded. I hope that I didn't screw anything up.

I will run sfc tonight when I get home. Should I delete the wininet.dll file that I installed before running this?

Thanks so much for all of your help. :tazz:
  • 0

#10
greyknight17
Posted 09 August 2005 - 10:04 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I took another look. I'm not sure, but Panda might have killed it before we even had a chance to copy it over :tazz:

No, leave that file there for now. I'm sure it's the wrong version though since smitRem couldn't find it.

Run SFC, hopefully it will detect that the version is incorrect and replace it (tell it to replace it if/when it asks).
  • 0

Advertisements

#11
kodief
Posted 09 August 2005 - 10:08 AM

kodief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Boy you get back quickly. It is a pleasure working with you.

I needed to tell you that I ran smitRem BEFORE I copied the new DLL into the windows folder. When I ran smitrem the dll was not in the windows\system folder. I checked. It was an expected error. I did NOT run the smitRem AFTER I had copied the new wininet.dll file in. Should I do this with the new DLL in place?

Windows never complained about the new wininet.dll and I didn't notice anything weird when running the internet.

Thanks again for all of your help.
  • 0

#12
greyknight17
Posted 09 August 2005 - 12:21 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
:tazz: Too fast? :)

Yes, I know. The error was on my part ;) I think you ran Panda earlier and that might have deleted that wininet.dll file since it was infected.

It was ok to run smitRem before the copying part - it should be done that way even :( (which you did).

No problem. I know it's not giving you a problem right now, but try running sfc at home tonight and see if it can replace it with the proper one. According to smitRem it's not found - so I can only assume that the one you downloaded was not the same version that's needed on a Windows 98 computer.

Do all the steps I mentioned earlier (including sfc :( ) and then restart and run a new Panda scan. Post the log here.
  • 0

#13
kodief
Posted 10 August 2005 - 07:21 AM

kodief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I ran sfc and it found nothing out of wack. I do need to make one thing clear that I didn't make clear before. The error from the smitFraud fix log that I posted before, "wininet.dll MISSING!!" happened BEFORE I placed the new wininet.dll on my computer. When the smitfraud fix was ran, I had no wininet.dll on the computer. So the error is valid. I am sure if I ran the smitfraud fix now that I would not get the error.


I deleted the one file that you listed, ran cleanup and then did another Panda scan. It came back completely clean....no error log.

I did have one question for you though. When my wininet.dll file was removed, I found two lines in the autoexec.bat file that I commented out. They were:


attrib -s -h -r C:\windows\system\wininet.dll
del C:\windows\system\wininet.dll

Do you have any idea who or what put them there? I had to comment these lines out so that I didn't have to recopy the downloaded wininet.dll file to the Windows directory each time I rebooted.

Anyway, here is my new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:13:51 PM, on 8/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\VIRUS CRAP\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SBPCISetup] C:\SBPCI\sbsetup.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: Dialpad Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} (Yahoo! Voicemail Engine) - http://phone.yahoo.c...gin/yumscom.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

Thanks again!!! :tazz:
  • 0

#14
greyknight17
Posted 10 August 2005 - 08:05 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It should be ok then. Just test to see if Internet Explorer works properly now. If all is well, then ok :tazz:

That does look suspicious in the autoexec file. I suggest leaving them commented like you did. That wininet.dll file is an important file and shouldn't be deleted (at least not without replacing it ;) ).

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#15
kodief
Posted 10 August 2005 - 08:14 AM

kodief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks so much. You have been very helpful. I really appreciate your time and efforts.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP