[grantsmellsbad]

Incident Status Location

Adware:adware/ist.istbar Not disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared
Adware:adware/wupd Not disinfected Windows Registry
Potentially unwanted tool:application/winantivirus2006 Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\WINANTIVIRUS PRO 2006
Potentially unwanted tool:application/errorguard Not disinfected HKEY_CLASSES_ROOT\CLSID\{205FF73B-CA67-11D5-99DD-444553540006}
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis percy@adultfriendfinder[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis percy@ccbill[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis percy@winfixer[2].txt
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis [email protected][1].txt
Spyware:Cookie/Spytrooper Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis [email protected][1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis percy@adultfriendfinder[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis percy@ccbill[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis percy@winfixer[2].txt
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis [email protected][1].txt
Spyware:Cookie/Spytrooper Not disinfected C:\Documents and Settings\Denis Percy\Cookies\denis [email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Denis Percy\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Denis Percy\Desktop\smitRem.exe[Process.exe]
Adware:Adware/Lop Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Bpk.dll.131
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Distribution.dll.048
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\FavoriteLinks.dll.066
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\FreeSamples.dll.041
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Music.dll.023
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Network.dll.062
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\System.dll.088
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Update.dll.066
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Windows.dll.074
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.044
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\RESTORE.INS[PSKILL.EXE]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\system\RESTORE.INS[PSKILL.EXE]
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Denis Percy\Cookies\denis [email protected][1].txt
Potentially unwanted tool:Application/Pskill.A Not disinfected D:\WINDOWS\RESTORE.INS[PSKILL.EXE]
Potentially unwanted tool:Application/Pskill.A Not disinfected D:\WINDOWS\system\RESTORE.INS[PSKILL.EXE]


Logfile of HijackThis v1.99.1
Scan saved at 10:31:24 AM, on 11/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 10/03/2006
The current time is: 16:58:35.93

Running from
C:\Documents and Settings\Denis Percy\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 764 'explorer.exe'
Killing PID 764 'explorer.exe'
Killing PID 764 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:23:49 AM, 11/03/2006
+ Report-Checksum: 1C2FEE42

+ Scan result:

HKU\S-1-5-21-1770715754-3426629675-50567902-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\Denis Percy\Cookies\denis percy@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Denis Percy\Cookies\denis percy@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Denis Percy\Cookies\denis [email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Denis Percy\Cookies\denis [email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Denis Percy\Cookies\denis [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Denis Percy\Cookies\denis [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Denis Percy\Cookies\denis [email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Denis Percy\Cookies\denis percy@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Denis Percy\Cookies\denis percy@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\RECYCLER\S-1-5-21-1770715754-3426629675-50567902-500\Dc1.dll -> Not-A-Virus.Hoax.Win32.Renos.bo : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP319\A0027957.exe -> Downloader.Zlob.ht : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP319\A0027958.exe -> Downloader.Zlob.ht : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP319\A0027967.tlb -> Downloader.Zlob.hw : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP320\A0027974.tlb -> Downloader.Zlob.hw : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP320\A0027980.tlb -> Downloader.Zlob.hw : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP320\A0027986.tlb -> Downloader.Zlob.hw : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP320\A0027987.exe -> Downloader.Zlob.hx : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP320\A0027988.exe -> Downloader.Zlob.hw : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP322\A0028347.tlb -> Downloader.Zlob.id : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP323\A0028350.exe -> Downloader.Zlob.id : Cleaned with backup
C:\System Volume Information\_restore{C5B9499E-B700-48A4-BA13-85DF56EA66A3}\RP323\A0028351.tlb -> Downloader.Zlob.id : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv.exe -> Downloader.Zlob.hs : Cleaned with backup
D:\Documents and Settings\Denis Percy\Cookies\denis percy@com[2].txt -> TrackingCookie.Com : Cleaned with backup


::Report End

[Advertisements]

Welcome to GeeksToGo, grantsmellsbad.

I'm currently working on your log and post back a fix shortly.

[stonangel]

Welcome to GeeksToGo, grantsmellsbad.

I'm currently working on your log and post back a fix shortly.

[stonangel]

Hi grantsmellsbad,

Good job

1. Please download and install an antivirus program to protect your computer. There are free good ones:

• AVG Anti-Virus
• Avast Home Edition

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

2. Please download ATF Cleaner by Atribune.

3. Please disable Windows Defender: right click on the castle icon in your Systray and select Exit.

You can re-enable it once you're clean.

4. Launch Notepad and copy paste the following text highlighted in bold:

-----------------------------------
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\WINANTIVIRUS PRO 2006]

[-HKEY_CLASSES_ROOT\CLSID\{205FF73B-CA67-11D5-99DD-444553540006}]

------------------------------------

Save it to your desktop as fix.reg and as Type "All files". You'll see an ice cube icon.

Then double-click on fix.reg and allow when prompted to merge with the registry.

5. Please re-open HiJackThis and scan. Check the box next to this entry listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

* Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

* Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

WINANTIVIRUS PRO 2006

Please note any other programs that you dont recognize in that list in your next response

* Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this folder (if present):

C:\PROGRAM FILES\COMMON FILES\Totem Shared

* Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

6. After that, Reboot in normal mode.

Run a new Panda online scan and post back the result with a fresh HijackThis log, please.

NB: If you choose to install Avast, you'll have to disable it before running the online scan. Avast founds in Panda a false positive.