Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Red Circle with white cross in taskbar [RESOLVED]

Started by MCDAT510 , Aug 03 2006 10:05 PM

This topic is locked

#1
MCDAT510

Posted 03 August 2006 - 10:05 PM

New Member

Member
5 posts

Hi Guys,

I have the Red Circle with white cross in my taskbar, here is my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 2:04:40 PM, on 4/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\KENSIN~1\Mouse\Amoumain.exe
E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
E:\Program Files\iriver\iriver plus 2\iAgent2.exe
C:\Windows\xpupdate.exe
E:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dodo.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dodo.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {0AF3A1E9-36A3-6040-4D73-380F7B6CAEE3} - xwiz.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Kenkeybd] C:\PROGRA~1\KENSIN~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [KenMouse] C:\PROGRA~1\KENSIN~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Fix-It AV] E:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADP.EXE /P26 "EPSON Stylus CX4700 Series" /O6 "USB001" /M "Stylus CX4700"
O4 - HKLM\..\Run: [zxc] xsetup.exe
O4 - HKLM\..\Run: [avpmondll] uio.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iPlusAgent2] "e:\Program Files\iriver\iriver plus 2\iAgent2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TorontoMail] Preliminary.exe
O4 - HKCU\..\Run: [vxdman] new32.exe
O4 - HKCU\..\Run: [borlandg] utsgmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFD6315-FAD0-4190-8F04-F23AD5C32F85}: NameServer = 85.255.115.34 85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{A038E78B-4084-48A9-8FB4-065BA9B5B417}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBC66A14-DF5B-4ED1-BF3A-16E83CBE0FC5}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

Any assistance to get rid of this from my taskbar would be greatly appreciated.

Cheers,
Mick

#2
JSntgRvr

Posted 04 August 2006 - 06:07 PM

Global Moderator

Global Moderator
11,579 posts

Hi, MCDAT510 :whistling:

Welcome to Geeks to go.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFD6315-FAD0-4190-8F04-F23AD5C32F85}: NameServer = 85.255.115.34 85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{A038E78B-4084-48A9-8FB4-065BA9B5B417}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBC66A14-DF5B-4ED1-BF3A-16E83CBE0FC5}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63

Click FIX CHECKED. Close HijackThis.

Check your settings:

Enter your Control Panel and double-click on Network Connections
Then right click on your Default Connection
- Usually Local Area Connection for Cable and DSL
Left click on Properties
Double-Click on the Internet Protocol (TCP/IP) item
Select the radio dial that says Obtain DNS Servers Automatically
Press OK twice to get out of the properties screen
Restart the computer

By default, your computer system keeps a DNS resolver cache which stores the IP address attached to frequently used DNS names (and Internet URLs, which are essentially the same thing). This enables your system to bring up frequently accessed web pages quickly, without the need to first consult a chain of DNS servers on the Internet to find out what IP address is associated with, say www.pcstats.com.

By using the 'ipconfig /flushdns' command, you delete the contents of the DNS resolver cache, meaning that your system will now recheck its settings to see where it should be going to get DNS addresses.

To flush the cache manually by using Ipconfig, go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

ipconfig /flushdns (The space between g and / is needed)
Exit

Restart the computer and attempt to connect to the internet.

Please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.

#3
MCDAT510

Posted 04 August 2006 - 08:39 PM

New Member

Topic Starter
Member
5 posts

Hi JSntgRvr,

Thankyou so much for your help, here are my logs

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSATK.EXE
* csr.exe C:\WINDOWS\System32\CSATK.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSATK.EXE 51,201 2006-08-03
Other suspects
Directory of C:\WINDOWS\system32
{239DF735-DA4E-4D9B-BC8A-77B4EF657AF3}.exe

Logfile of HijackThis v1.99.1
Scan saved at 12:38:41 PM, on 5/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\Explorer.EXE
E:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\PROGRA~1\KENSIN~1\Mouse\Amoumain.exe
E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADP.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\iriver\iriver plus 2\iAgent2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\xpupdate.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dodo.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dodo.com.au/
R3 - URLSearchHook: (no name) - {0AF3A1E9-36A3-6040-4D73-380F7B6CAEE3} - xwiz.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Kenkeybd] C:\PROGRA~1\KENSIN~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [KenMouse] C:\PROGRA~1\KENSIN~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Fix-It AV] E:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADP.EXE /P26 "EPSON Stylus CX4700 Series" /O6 "USB001" /M "Stylus CX4700"
O4 - HKLM\..\Run: [zxc] xsetup.exe
O4 - HKLM\..\Run: [avpmondll] uio.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iPlusAgent2] "e:\Program Files\iriver\iriver plus 2\iAgent2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TorontoMail] Preliminary.exe
O4 - HKCU\..\Run: [vxdman] new32.exe
O4 - HKCU\..\Run: [borlandg] utsgmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFD6315-FAD0-4190-8F04-F23AD5C32F85}: NameServer = 203.8.183.1 192.189.54.33
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

i deleted this and it keeps coming back, O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFD6315-FAD0-4190-8F04-F23AD5C32F85}: NameServer = 203.8.183.1 192.189.54.33

The red circle with white cross is still in my taskbar, please let me know the next step to get rid of this.

Thankyou so much for all your help.

Cheers,
Mick

#4
JSntgRvr

Posted 05 August 2006 - 08:43 AM

Global Moderator

Global Moderator
11,579 posts

Hi, MCDAT510 :whistling:

That 017 line is now legit. Do not remove it. It respond to your ISP.

AAPT Limited
180-188 Burnley Street
Richmond VIC 3121

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {0AF3A1E9-36A3-6040-4D73-380F7B6CAEE3} - xwiz.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [zxc] xsetup.exe
O4 - HKLM\..\Run: [avpmondll] uio.exe
O4 - HKCU\..\Run: [TorontoMail] Preliminary.exe
O4 - HKCU\..\Run: [vxdman] new32.exe
O4 - HKCU\..\Run: [borlandg] utsgmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Windows\System32\xsetup.exe
C:\Windows\System32\uio.exe
C:\Windows\System32\Preliminary.exe
C:\Windows\System32\new32.exe
C:\Windows\System32\utsgmon.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\SYSTEM32\CSATK.EXE
C:\WINDOWS\system32\{239DF735-DA4E-4D9B-BC8A-77B4EF657AF3}.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Warning : running option #2 on a non infected computer in Normal Mode will remove your Desktop background.

#5
MCDAT510

Posted 06 August 2006 - 02:04 AM

New Member

Topic Starter
Member
5 posts

Hi JSntgRvr,

thanks again for your help, here is the the report

SmitFraudFix v2.80

Scan done at 17:56:38.00, Sun 06/08/2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mick\Application Data

C:\Documents and Settings\Mick\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Mick\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\BraveSentry\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Let me know what i'll need to do next.

Thanks again.

Cheers,
Mick

#6
JSntgRvr

Posted 06 August 2006 - 11:55 AM

Global Moderator

Global Moderator
11,579 posts

Hi, MCDAT510. :whistling:

Please print these instructions, or copy them to a NotePad file for reference while in Safe Mode.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly in Safe Mode.

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido .

Restart back into Windows normally now.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post a fresh Hijackthis log along with the Ewido and ActiveScan reports along with the C:\rapport.txt.

#7
MCDAT510

Posted 07 August 2006 - 09:37 AM

New Member

Topic Starter
Member
5 posts

Hi JSntgRvr,

The Red circle with white cross has now gone..thankyou so much. :whistling:

Here are the reports

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:32:40 AM 8/08/2006

+ Scan result:

C:\Documents and Settings\All Users\Documents\install.exe -> Backdoor.Robobot.ap : Cleaned with backup (quarantined).
C:\!KillBox\csatk.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\!KillBox\xpupdate.exe -> Downloader.Tibs.gc : Cleaned with backup (quarantined).
C:\Documents and Settings\Mick\Cookies\mick@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).

::Report end

Incident Status Location

Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\!KillBox\{239DF735-DA4E-4D9B-BC8A-77B4EF657AF3}.exe[KillAndClean.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\!KillBox\{239DF735-DA4E-4D9B-BC8A-77B4EF657AF3}.exe[KillAndCleanUpdate.exe]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mick\Cookies\mick@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mick\Cookies\mick@doubleclick[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Mick\Cookies\mick@statcounter[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mick\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]

Logfile of HijackThis v1.99.1
Scan saved at 1:36:56 AM, on 8/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
e:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\KENSIN~1\Mouse\Amoumain.exe
E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADP.EXE
E:\Program Files\ewido anti-spyware 4.0\ewido.exe
E:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\iriver\iriver plus 2\iAgent2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
E:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Kenkeybd] C:\PROGRA~1\KENSIN~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [KenMouse] C:\PROGRA~1\KENSIN~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Fix-It AV] E:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADP.EXE /P26 "EPSON Stylus CX4700 Series" /O6 "USB001" /M "Stylus CX4700"
O4 - HKLM\..\Run: [!ewido] "E:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iPlusAgent2] "e:\Program Files\iriver\iriver plus 2\iAgent2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFD6315-FAD0-4190-8F04-F23AD5C32F85}: NameServer = 203.8.183.1 192.189.54.33
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - e:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

SmitFraudFix v2.80

Scan done at 1:37:43.15, Tue 08/08/2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mick\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Mick\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Please let me know the next step to take.

Cheers,
Mick

#8
JSntgRvr

Posted 07 August 2006 - 02:17 PM

Global Moderator

Global Moderator
11,579 posts

Hi, MCDAT510 :whistling:

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

Go Here and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
Make sure that at least the first two check boxes are ticked
Press OK
Press YES to create the folder.

Registry Modifications

Download the enclosed file: [attachment=10101:attachment]
Extract its contents to the desktop. It is a Registry Entries file, Regfix.reg. Once extracted, double click on it and select Yes when prompted to merge it into the registry.

Restart the computer.

The rest of the log looks clear. How is the computer doing?

#9
MCDAT510

Posted 12 August 2006 - 06:19 PM

New Member

Topic Starter
Member
5 posts

Hi JSntgRvr,

Everything seems to be running perfectly, thankyou so much for your help.

I will recommend you to other people that have malware problems.

Just one more question, What "free" firewall program do you recommend?

Thanks again for your assistance.

Cheers,
Mick

#10
JSntgRvr

Posted 12 August 2006 - 07:52 PM

Global Moderator

Global Moderator
11,579 posts

Hi, MCDAT510 :blink:

Congratulations. Posted Image

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Firewalls:

ZoneAlarm

Agnitum Outpost Free

Kerio by Sunbelt

Kerio 2.1.5

Glad to be of help! :whistling:

Best wishes!

#11
JSntgRvr

Posted 17 August 2006 - 12:56 PM

Global Moderator

Global Moderator
11,579 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.