Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Smitfraud G [RESOLVED]

Started by viet667 , Mar 25 2006 07:18 PM

This topic is locked

#1
viet667

Posted 25 March 2006 - 07:18 PM

New Member

Member
3 posts

I have several continual pop ups which tell me I have smitfraud G as well as other ones not named.
I went through the instructions eleswhere on this forum and have SmitRem and Ewidoware log.
Hijack this log is:
Logfile of HijackThis v1.99.1
Scan saved at 11:53:46 AM, on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DC1300\DCMnt1_0\DC1300mi.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\soundman.exe
C:\Program Files\SpywareQuake\SpywareQuake.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareQuake\SpywareQuake.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\TempDownloads\DFIns35sc\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DC1300 Monitor] C:\Program Files\DC1300\DCMnt1_0\DC1300mi.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

EWIDO REPORT:---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:12:54 AM, 26/03/2006
+ Report-Checksum: 750D5806

+ Scan result:

HKU\S-1-5-21-746137067-926492609-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-746137067-926492609-682003330-1003\Software\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup
HKU\S-1-5-21-746137067-926492609-682003330-1003_Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\tibbs@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\tibbs@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\tibbs@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\TempDownloads\DFIns35sc\backups\backup-20060218-091750-811.dll -> Downloader.Zlob.gw : Cleaned with backup
C:\TempDownloads\DFIns35sc\backups\backup-20060226-125955-925.dll -> Downloader.Zlob.hk : Cleaned with backup
E:\15054\WINDOWS\NDNuninstall4_94.exe -> Adware.NewDotNet : Cleaned with backup

::Report End

and Smit files:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:12:54 AM, 26/03/2006
+ Report-Checksum: 750D5806

+ Scan result:

HKU\S-1-5-21-746137067-926492609-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-746137067-926492609-682003330-1003\Software\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup
HKU\S-1-5-21-746137067-926492609-682003330-1003_Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\tibbs@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\tibbs@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\TIBBS\Cookies\tibbs@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\TempDownloads\DFIns35sc\backups\backup-20060218-091750-811.dll -> Downloader.Zlob.gw : Cleaned with backup
C:\TempDownloads\DFIns35sc\backups\backup-20060226-125955-925.dll -> Downloader.Zlob.hk : Cleaned with backup
E:\15054\WINDOWS\NDNuninstall4_94.exe -> Adware.NewDotNet : Cleaned with backup

::Report End
Hope you can help, Thanks

#2
Flrman1

Posted 25 March 2006 - 07:30 PM

Malware Assassin

Retired Staff
6,596 posts

Hi viet667

Welcome to G2G! :whistling:

* Click here to download smitRem.exe.

Save the file to your desktop.
It is a self extracting file.
Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
If the link to SmitRem above is not working try this one.

* Update ewido:

Launch ewido
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.

* Click Here and download Killbox and save it to your desktop.

* Click here to download FixSQ.zip and save it to your desktop.
Unzip it to extract the FixSF.reg file it contains.

* Click here for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Go to Add/Remove programs and uninstall SpywareQuake if it is there. Do not restart your computer if it asks you to do so.

* Doublclick on the FixSQ.reg file to add it to the registry.
Answer yes to confirm the merge.

* Double-click on Killbox.exe to run it.

Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

C:\WINDOWS\system32\stickrep.dll

C:\Program Files\SpywareQuake
Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Exit the Killbox.

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Run Ewido:

Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan here

When the scan is finished, save the results from the scan!

SmitRem creates a log file with the results of it's fix in C:\smitfiles.txt. Go to your C drive and locate the smitfiles.txt file. Copy and paste the contents of the smitfiles.txt file in your next reply here along with a new HiJackThis log and the results from ActiveScan

#3
viet667

Posted 25 March 2006 - 09:14 PM

New Member

Topic Starter
Member
3 posts

Thanks so far,
SpywareQuake was unistalled and Killbox used for stickrep.dll

New logs are;
ACTIVE SCAN
Incident Status Location

Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\dfrgsrv.exe
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\TIBBS\Cookies\tibbs@belnk[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\TIBBS\Cookies\tibbs@ccbill[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\TIBBS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-10015c94-22d6825f.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\TIBBS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-10015c94-22d6825f.zip[Installer.class]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\TIBBS\Cookies\tibbs@belnk[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\TIBBS\Cookies\tibbs@ccbill[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\TIBBS\Cookies\[email protected][2].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\TIBBS\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\TIBBS\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\TIBBS\Desktop\smitRem.exe[Process.exe]
Adware:Adware/eZula Not disinfected E:\15054\WINDOWS\system32\ezstub.exe

SMITREM © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 26/03/2006
The current time is: 13:57:28.67

Running from
C:\Documents and Settings\TIBBS\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"="Wheel Mouse Optical Driver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com keyogfile of HijackThis v1.99.1
Scan saved at 2:13:32 PM, on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DC1300\DCMnt1_0\DC1300mi.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TempDownloads\DFIns35sc\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DC1300 Monitor] C:\Program Files\DC1300\DCMnt1_0\DC1300mi.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#4
Flrman1

Posted 25 March 2006 - 10:28 PM

Malware Assassin

Retired Staff
6,596 posts

* Go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the "Delete Cookies" button to clear all cookies.

* Go to Control Panel > Java. On the General tab under "Temporary Internet Files", click the "Delete Files" button to clear the Java cache.

* Click Here and download Killbox and save it to your desktop.

* Double-click on Killbox.exe to run it.

Put a tick by Delete on Reboot.
Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\dfrgsrv.exe
E:\15054\WINDOWS\system32\ezstub.exe
Next in Killbox go to File > Paste from clipboard
Click on the All Files button.
Next click on the button that has the red circle with the white X in the middle.
It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
Click Yes and let the computer reboot.

* After it reboots, open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

#5
viet667

Posted 26 March 2006 - 12:36 AM

New Member

Topic Starter
Member
3 posts

looks like all the pop ups are gone , computer is opereting much faster as well.
Thanks, I will add donation

Ad-Aware SE Personal
Adobe Acrobat 5.0
Avance AC'97 Audio
DC1300
DVD Solution
eMedia Codec 4.0
ewido anti-malware
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB912475)
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
InCD
J2SE Runtime Environment 5.0 Update 4
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office 2000 Professional
Multimedia Launcher
MYOB Accounting v15
Nero OEM
NVIDIA Drivers
overland
Panda ActiveScan
PowerDVD
PowerProducer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SP5X
Spybot - Search & Destroy 1.3
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
XP Codec Pack

#6
Flrman1

Posted 26 March 2006 - 02:18 AM

Malware Assassin

Retired Staff
6,596 posts

* Go to Add/Remove programs and uninstall these:

eMedia Codec 4.0
J2SE Runtime Environment 5.0 Update 4

* Now go here and install the latest version of Java.

* Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

* Go to Windows update and install all "High Priority Updates".

* Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

#7
Flrman1

Posted 03 April 2006 - 06:50 PM

Malware Assassin

Retired Staff
6,596 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.