Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

softwarereferral.com/antivirus2008.com [RESOLVED]


  • This topic is locked This topic is locked

#1
marionks

marionks

    Member

  • Member
  • PipPip
  • 43 posts
THANKS FOR ALL YOUR PRE-HJT IDEAS! I ALREADY HAD ONE OF THEM, JUST DIDN'T HAVE THE SMARTS TO USE IT! MY WINDOWS UPDATES HAVE BEEN UP-TO-DATE ALL ALONG. I'VE ALSO USED HJT BEFORE WITH DELL SUPPORT, SO I'M FAMILIAR WITH SOME OF THE VERBAGE THERE. I REMOVED 61 INFECTIONS BEFORE PANDA FOUND TWO MORE INFECTIONS, BUT CLOSED OUT WITH A "YOU'RE INFECTED" SCREEN ... COULDN'T FOLLOW YOUR INSTRUCTIONS EXCEPT TO SAVE IT TO MY COMPUTER. WHAT FOLLOWS IS PANDA'S ACTIVESCAN.TXT; FOLLOWED BY HJT.LOG -- HOPE YOU HAVE ENOUGH INFO TO START ... I'VE SEEN SOMEONE ON ANOTHER TOPIC WITH MUCH THE SAME PROBLEM AS ME ... PRESENT STATUS: MISSING WALLPAPER; SIDEBAR & ICONS FROM "MY COMPUTER" ARE NOW THE WALLPAPER...STARTED OUT AS FAKE WINDOWS SECURITY MESSAGE AND PRIVACY DANGER WALLPAPER -- BOTH ARE GONE AFTER FOLLOWING HJT STEPS.

************
ANALYSIS: 2008-05-27 19:42:02
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
************
PROTECTIONS
Description Version Active Updated
=================================================
PC-cillin Internet Security - Virus Protectio14.60.1195 Yes Yes
=================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
=================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No I:\Documents and Settings\Ginny\Application Data\Mozilla\Firefox\Profiles\sqirt1ue.default\cookies.txt[.atdmt.com/]
02164907 Generic Malware Virus/Trojan No 0 Yes No I:\Program Files\DIGStream\digstream.exe
=================================================
SUSPECTS
Sent Location @
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description @
;===============================================================================
=================================================================================
===================
108742 MEDIUM MS06-006 @
;=================================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:00: VIRUS ALERT!, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
I:\WINDOWS\stsystra.exe
I:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
I:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\ehome\ehtray.exe
I:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
I:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
I:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
I:\Program Files\Microsoft Location Finder\LocationFinder.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
I:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
I:\Program Files\SBC Self Support Tool\bin\mad.exe
I:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
I:\PROGRA~1\SBCSEL~1\ASSTCO~1\MOTIVE~1.EXE
I:\WINDOWS\system32\dllhost.exe
I:\WINDOWS\eHome\ehmsas.exe
I:\Program Files\Windows Live\Messenger\usnsvc.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - I:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - I:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - I:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - I:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [pccguide.exe] "I:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] I:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ehTray] I:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OE_OEM] "I:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Location Finder] "I:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = I:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172413884023
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn...gr.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn...6/heartbeat.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/...ersion=1,0,0,10
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O20 - Winlogon Notify: !SASWinLogon - I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - I:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GameConsoleService - Unknown owner - I:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - I:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - I:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - I:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - I:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - I:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,959 posts
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: GameConsoleService - Unknown owner - I:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Then download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Then please download and run:
http://users.pandora...oductid_fix.exe
This will also open a logfile. Post the content of that one as well.

Regards,
  • 0

#3
marionks

marionks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I cannot download Smitfraudfix. PCcillin blocks it unless I allow access to "adware/joke program/cookies". If I allow it, do I open up my computer to more problems???
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,959 posts
Did you read this in my post?

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Run only the second application I mentioned if you do not trust SmitFraudFix. I can not force you to use it.
  • 0

#5
marionks

marionks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Yes, I read that in your post ... I guess I'm asking if I'm opening up the computer to more problems if I uncheck the adware/jokeware/cookies block in order to run the Smitfraudfix at the same time. It seems as though that's a BIG category to open up, but if you trust it, I will. Sorry it takes me so long between messages ... I'm trying to do too many things at one time (run a household, manage a job, etc.). I'm trying not to leave the computer running, as I believe that's how I got the malware in the first place!
  • 0

#6
marionks

marionks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
The smitfraudfix folder is on my desktop, but pccillin blocked the unzip.exe file, which apparently is the file needed to run the action you want me to take. I tried to run the pandora program, but pccillin blocked it completely ... opened the folder, but wouldn't run it. I'm going to block adware, etc. again until I hear from you.
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,959 posts
Since you have downloaded both programs, I suggest the following.

Disconnect from the internet. Simply pull the plug if it's not wireless, if it is rightclick the connection and choose "Disable".
Then turn off PCCillins resident protection.

Then run the file productid_fix.exe from pandora.be
Then run Smitfraudfix
Save both the logs.

Re-enable resident protection.Do not connect to the internet yet untill after a reboot and checking if PCCillin is working again.
  • 0

#8
marionks

marionks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I disconnected from the internet
1) I don't have pandora downloaded ... pccillin wouldn't allow it, even with the adware filter turned off
2) I am still missing a file in smitfraud ... unzip.exe
Thanks for your patience with me!
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,959 posts
1) We can do what that tool does manually, but that is a rather complex method:
See if you can follow the instructions here:
http://miekiemoes.bl...to-restore.html

2) We'll see if we still need it after you do the above and post a new HijackThis log.
  • 0

#10
marionks

marionks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
OK, I'm beginning to get REALLY FRUSTRATED with PCcillin ... I tried to open your website, then received this notice:

TREND MICRO PC-cillin Internet Security 14

The Web site that you are trying to access has been blocked following the configurations set for the Web Site Filter.
To view this Web site:
- Open the main console and add the address in the Privacy Control > Web Site Filter > Approved List
Address: http://miekiemoes.bl...to-restore.html
Type: Web Communications

I followed the directions, closed the browser, reopened, got the same reply. My filter says "Allow access to all websites, except those on the Exception List" (to which I've added your miekiemoes address) HOWEVER, I have two blocks: "block predefined website categories (phishing, spyware, adware, hacking, occult, etc.)" and "detect new entries in the Host file and filter spoofed domain names" ... do I need to uncheck any of these categories to allow your address to work??? (We're getting to my limits of understanding, here!)
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,959 posts
I'm getting pretty frustrated with your PCCIllin as well. :)

I wish it had performed so well while you were getting infected. :)

Marckie has made a new version of his tool:
http://users.pandora...oductid_fix.exe
You may need to refresh or you might end up with the old version from your cache.

Scanner detection for the tool should be a lot less now.

I have never used PCCillin so I'm hardly qualified to tell you which settings to alter.
Found this though:
http://www.google.co...mp;answer=24968
maybe you can figure out how to get to miekes site.
It's preposterous that it is being blocked, she is one of the best spywarefighters around.
  • 0

#12
marionks

marionks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
YAY! I was able to add product ID fix! However, there were no results:
--- ProductIDfix ---
not necessary
I'm working on the google, will let you know in next reply
  • 0

#13
marionks

marionks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
From PC CIllin when I added the exception to the personal firewall:
Missing or invalid application(s). The application(s) specified in the current Personal Firewall profile exception rules will not be used. Consult the Content & Index>Problem Solving section for details.

Which I will try to get done before I go to work! :)
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,959 posts
Which application did you try?
The Googletalk was just an example.

Can you try this for SmitfraudFix

And this may work to replace the unzip.exe
http://home.planet.n...xplanation.html
  • 0

#15
marionks

marionks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I haven't tried to run another application from pccillin ... it involves getting the Dell disk for some reason, and I didn't have time to do it that morning. Sorry that it has taken me so long to get back to you ... it has been a busy week here!

We are starting to push the limits of my intelligence here ... That's a very informative page on zipping and unzipping files in XP, but I'm not sure how to insert that info into Smitfraudfix. When I click on the cmd.exe file, I get a red screen in French and English: "unzip.exe file missing! Unzip all the archive in a folder. Press any key to continue ... " When I click any key, I lose the screen. I don't have a zip file to unzip with your information!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP