Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-Spy.HTML.Smitfraud.c

Started by eigelb , May 09 2005 06:38 AM

  • Please log in to reply

#1
eigelb
Posted 09 May 2005 - 06:38 AM

eigelb

    New Member

  • Member
  • Pip
  • 9 posts
I have the "Trojan-Spy.HTML.Smitfraud.c" Trojan which I know because it is telling me itself on my desktop, where a fake bluescreen is warning me of this Trojan. Following your instructions as to what to do "before posting", I downloaded AdAware SE Personal, but it did not find this specific Trojan and didn't change anything about the situation at all. Now I have downloaded "HijackThis.exe" and saved a logfile which goes as follows:

Logfile of HijackThis v1.99.1
Scan saved at 14:21:16, on 09.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Shareaza\Shareaza.exe
C:\wp.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AOL 9.0\waol.exe
C:\Programme\AOL 9.0\shellmon.exe
C:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Programme\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aldi.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {64234EFD-C655-468B-BB65-C678ED2E2BBB} - C:\WINDOWS\System32\cpog.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Security iGuard] C:\Programme\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Programme\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Startup: ubisoft register.lnk = C:\Programme\Ubi Soft\Register\schedule.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MedionShop - {01E9CF82-AE9D-42BA-A629-B23D51A4B86B} - http://www.medionshop.de/ (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FF7DE827-5298-4CCC-B8DA-83F68CE73E83} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FF7DE827-5298-4CCC-B8DA-83F68CE73E83} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{1155BEB9-BE73-4757-9CC1-20170BC0A96A}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1155BEB9-BE73-4757-9CC1-20170BC0A96A}: NameServer = 205.188.146.145
O18 - Filter: text/html - {26BF987C-E998-4BC0-BC6A-DB2F3E9EE155} - C:\WINDOWS\System32\cpog.dll
O18 - Filter: text/plain - {26BF987C-E998-4BC0-BC6A-DB2F3E9EE155} - C:\WINDOWS\System32\cpog.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

I very much hope you can make some sense out of it. I have read other postings concerning the same malware but I am not good enough at computers to understand everything and try to delete it myself. Also it seems that each infection needs an "individual" treatment.
If anyone could help me I would be very happy and appreciate it greatly. It is not really an emergency as it doesn't seem to be very aggressive, but I don't know what it does or how bad it is. I hope I have followed your instructions correctly and that someone will be able to help me.
Thank you very much in advance, eigelb
  • 0

Advertisements

#2
don77
Posted 14 May 2005 - 04:30 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi eigelb and welcome.
Sorry for the delay in response, You have a couple nasty infections, We will get rid of the se.dll infection first then get smitfraud, So this means you will still have the fake bluescreen is warning of this Trojan for now,*Please create a folder and name it SpSeHjfix
*Download SpSeHjfix into the folder.
*Disconnect from the net and Close ALL OPEN PROGRAMS.
*Run 'SpSeHjfix' and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process.
*The tool creates a log of the fix which will appear in the folder.

*Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'
.
  • 0

#3
eigelb
Posted 15 May 2005 - 10:49 AM

eigelb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks a lot for helping me. I have done excactly as told:

Logfile of HijackThis v1.99.1
Scan saved at 18:42:01, on 25.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Shareaza\Shareaza.exe
C:\wp.exe
C:\WINDOWS\DitExp.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aldi.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AD1250E8-9F87-4A28-A2ED-C8BEBB4CFBC6} - C:\WINDOWS\System32\cpog.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Security iGuard] C:\Programme\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [Shareaza] "C:\Programme\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Startup: ubisoft register.lnk = C:\Programme\Ubi Soft\Register\schedule.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MedionShop - {01E9CF82-AE9D-42BA-A629-B23D51A4B86B} - http://www.medionshop.de/ (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FF7DE827-5298-4CCC-B8DA-83F68CE73E83} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FF7DE827-5298-4CCC-B8DA-83F68CE73E83} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/
O18 - Filter: text/html - {F9BE24A9-E912-43DB-8192-662D16467A7D} - C:\WINDOWS\System32\cpog.dll
O18 - Filter: text/plain - {F9BE24A9-E912-43DB-8192-662D16467A7D} - C:\WINDOWS\System32\cpog.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

And the "SpSeHjfix" log:

(25.7.05 18:39:51) SPSeHjFix started v1.1.2
(25.7.05 18:39:51) OS: WinXP Service Pack 1 (5.1.2600)
(25.7.05 18:39:51) Language: deutsch
(25.7.05 18:39:51) Win-Path: C:\WINDOWS
(25.7.05 18:39:51) System-Path: C:\WINDOWS\System32
(25.7.05 18:39:51) Temp-Path: C:\DOKUME~1\Matern\LOKALE~1\Temp\
(25.7.05 18:39:59) Disinfection started
(25.7.05 18:39:59) Bad-Dll(IEP): c:\dokume~1\matern\lokale~1\temp\se.dll
(25.7.05 18:39:59) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\cpog.dll
(25.7.05 18:39:59) Searchassistant Uninstaller - Keys Deleted
(25.7.05 18:39:59) UBF: 9 - UBB: 1 - UBR: 14
(25.7.05 18:39:59) FilterKey: HKCR\text/html (deleted)
(25.7.05 18:39:59) FilterKey: HKCR\CLSID\{26BF987C-E998-4BC0-BC6A-DB2F3E9EE155} (deleted)
(25.7.05 18:39:59) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(25.7.05 18:39:59) FilterKey: HKCR\text/plain (deleted)
(25.7.05 18:39:59) FilterKey: HKCR\CLSID\{26BF987C-E998-4BC0-BC6A-DB2F3E9EE155} (error while deleting)
(25.7.05 18:39:59) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(25.7.05 18:39:59) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64234EFD-C655-468B-BB65-C678ED2E2BBB} (deleted)
(25.7.05 18:39:59) BHO-Key: HKCR\CLSID\{64234EFD-C655-468B-BB65-C678ED2E2BBB} (deleted)
(25.7.05 18:39:59) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll,DllInstall (deleted)
(25.7.05 18:39:59) UBF: 7 - UBB: 0 - UBR: 13
(25.7.05 18:39:59) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\dokume~1\matern\lokale~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\dokume~1\matern\lokale~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(25.7.05 18:39:59) Stealth-String not found
(25.7.05 18:39:59) File added to delete: c:\windows\system32\cpog.dll
(25.7.05 18:39:59) File added to delete: c:\dokume~1\matern\lokale~1\temp\se.dll
(25.7.05 18:40:00) Reboot


(25.7.05 18:40:46) SPSeHjFix started v1.1.2
(25.7.05 18:40:46) OS: WinXP Service Pack 1 (5.1.2600)
(25.7.05 18:40:46) Language: deutsch
(25.7.05 18:40:46) Win-Path: C:\WINDOWS
(25.7.05 18:40:46) System-Path: C:\WINDOWS\System32
(25.7.05 18:40:46) Temp-Path: C:\DOKUME~1\Matern\LOKALE~1\Temp\

Also, after rebooting, I received a message that se.dll was not found and could not be started. It sounds like it's working...
  • 0

#4
don77
Posted 15 May 2005 - 03:00 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets just make sure we will do a little manual work,
  • Download and install Cleanup



  • Dowload the following program
    CWShredder
    It should be the current version, but check for updates
    “Don’t run it yet”


  • Please download and install Ad-aware.
    Setting up Ad-aware- please make sure you update it first


  • Make sure you can view all View all Hidden Files/Folders



  • Next,. Reboot into SAFE MODE

    Please restart HJT put a check next to the following if they still exist, close all open windows and click “fix.checked”

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll/spage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll/spage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {AD1250E8-9F87-4A28-A2ED-C8BEBB4CFBC6} - C:\WINDOWS\System32\cpog.dll (file missing)
    O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Matern\LOKALE~1\Temp\se.dll,DllInstall
    O18 - Filter: text/html - {F9BE24A9-E912-43DB-8192-662D16467A7D} - C:\WINDOWS\System32\cpog.dll
    O18 - Filter: text/plain - {F9BE24A9-E912-43DB-8192-662D16467A7D} - C:\WINDOWS\System32\cpog.dll
  • Search for and delete the following Files/Folders in BOLD if still present

    C:\WINDOWS\System32\cpog.dll

  • While still in safe mode

  • Run Program cwshredder and have it fix anything it finds.
    Make sure you click the “Fix” button


  • Open Cleanup! Click on clean up now and let it run,
    When it has finished click NO to reboot now.

  • Scan with AdAware have it remove what it finds

  • Restart your computer,

  • Post back a fresh HJT log please

  • 0

#5
eigelb
Posted 16 May 2005 - 11:07 AM

eigelb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok I tried to follow your instructions, only I ran Cleanup! too early (right after downloading), I hope it doesn't change too much. I ran it again later in safe mode. CWShredder didn't find anything, but AdAware found a lot (CWS files too) and deleted it.
The wallpaper has gone black, and one screen setting is still missing. I am still receiving popups.

Logfile of HijackThis v1.99.1
Scan saved at 18:56:29, on 16.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Shareaza\Shareaza.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\DitExp.exe
C:\Programme\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aldi.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AD1250E8-9F87-4A28-A2ED-C8BEBB4CFBC6} - C:\WINDOWS\System32\cpog.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Security iGuard] C:\Programme\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Programme\Shareaza\Shareaza.exe" -tray
O4 - Startup: ubisoft register.lnk = C:\Programme\Ubi Soft\Register\schedule.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MedionShop - {01E9CF82-AE9D-42BA-A629-B23D51A4B86B} - http://www.medionshop.de/ (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FF7DE827-5298-4CCC-B8DA-83F68CE73E83} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FF7DE827-5298-4CCC-B8DA-83F68CE73E83} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
  • 0

#6
don77
Posted 16 May 2005 - 07:56 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Ok, Lets see if we can get the rest of this squared away for you

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

O2 - BHO: (no name) - {AD1250E8-9F87-4A28-A2ED-C8BEBB4CFBC6} - C:\WINDOWS\System32\cpog.dll (file missing)
O4 - HKLM\..\Run: [Security iGuard] C:\Programme\Security iGuard\Security iGuard.exe
O9 - Extra button: Microsoft AntiSpyware helper - {FF7DE827-5298-4CCC-B8DA-83F68CE73E83} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FF7DE827-5298-4CCC-B8DA-83F68CE73E83} - (no file) (HKCU)

Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
  • 0

#7
eigelb
Posted 17 May 2005 - 05:10 AM

eigelb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok I did everything very carefully this time. I didn't find , Virtual Maid or Search Maid anywhere, Security iGuard I had already removed before posting this topic after having read about it in other postings. I didn't find the "Log Files" folder either. The Active Scan found so much it's scary, but it also warned me it had found spyware which it couldn't disinfect.
My PC has recovered a good deal, my wallpaper settings are all in order, the only thing is I am still getting grey popups telling me about registry errors or whatever.

Logfile of HijackThis v1.99.1
Scan saved at 13:01:25, on 17.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\WINDOWS\DitExp.exe
C:\PROGRA~1\AOL9~1.0\waol.exe
C:\PROGRA~1\AOL9~1.0\shellmon.exe
C:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aldi.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - Startup: ubisoft register.lnk = C:\Programme\Ubi Soft\Register\schedule.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MedionShop - {01E9CF82-AE9D-42BA-A629-B23D51A4B86B} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1155BEB9-BE73-4757-9CC1-20170BC0A96A}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1155BEB9-BE73-4757-9CC1-20170BC0A96A}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

And the Active Scan:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SearchExe No disinfected C:\Dokumente und Einstellungen\Mami\Lokale Einstellungen\Temp\se.dll
Virus:W32/Parite.B Disinfected D:\Driver\160GB Patch\English\Q331958_WXP_SP2_x86_ENU.exe
Virus:W32/Parite.B Disinfected D:\Driver\160GB Patch\German\Q331958_WXP_SP2_x86_DEU.exe
Virus:W32/Parite.B Disinfected D:\Driver\Bluetooth\DAN\Q323183_WXP_SP2_X86_DAN.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Bluetooth\DEU\Q323183_WXP_SP2_X86_DEU.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Bluetooth\ENU\Q323183_WXP_SP2_X86_ENU.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Bluetooth\ESN\Q323183_WXP_SP2_X86_ESN.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Bluetooth\FRA\Q323183_WXP_SP2_X86_FRA.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Bluetooth\ITA\Q323183_WXP_SP2_X86_ITA.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Bluetooth\NLD\Q323183_WXP_SP2_X86_NLD.EXE
Virus:W32/Parite.B Disinfected D:\Driver\CardReader\Firmware\USB ISP Type1 V0.96.0730.exe
Virus:W32/Parite.B Disinfected D:\Driver\CardReader\Make bootable flashcards\MkBootW.exe
Virus:W32/Parite.B Disinfected D:\Driver\Creatix\ISDN\Driver\UNINSTAL.EXE
Virus:W32/Parite.B Disinfected D:\Driver\DirectX9\dxsetup.exe
Virus:W32/Parite.B Disinfected D:\Driver\Mouse\English\ip4_1engallmsi.exe
Virus:W32/Parite.B Disinfected D:\Driver\Mouse\French\ip4_1fraallmsi.exe
Virus:W32/Parite.B Disinfected D:\Driver\Mouse\German\ip4_1deuallmsi.exe
Virus:W32/Parite.B Disinfected D:\Driver\Mouse\Italian\ip4_1itaallmsi.exe
Virus:W32/Parite.B Disinfected D:\Driver\Mouse\Spanish\ip4_1espallmsi.exe
Virus:W32/Parite.B Disinfected D:\Driver\Patches\160GB Patch\English\Q331958_WXP_SP2_x86_ENU.exe
Virus:W32/Parite.B Disinfected D:\Driver\Patches\160GB Patch\German\Q331958_WXP_SP2_x86_DEU.exe
Virus:W32/Parite.B Disinfected D:\Driver\Remote Control\Driver\x10setupnovideo.exe
Virus:W32/Parite.B Disinfected D:\Driver\Remote Control\Test Tool\eventview.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_AGP_1.13\AGP\AGPUtil\AGPutil.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_AGP_1.13\AGP\htpatch\HTinst.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_AGP_1.13\AGP\htpatch\htpatch.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_AGP_1.13\SISfiles\ata133ap.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_AGP_1.13\SISfiles\instdrv.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_AGP_1.13\SISfiles\regmod.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_AGP_1.13\SISfiles\waitwnd.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_AGP_1.13\USB\Win2K_XP\WinXPUSB\SiSUSBrg.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_AGP_1.13\USB\Win9x\SiSFiles\Mp_s3.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_IDE_UDMA\IDE\IdeUtil\PropInstall.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_IDE_UDMA\IDE\IdeUtil\SISIDE.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_IDE_UDMA\SISfiles\ata133ap.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_IDE_UDMA\SISfiles\DMA98.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_IDE_UDMA\SISfiles\HDinfo.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_IDE_UDMA\SISfiles\infinstall.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_IDE_UDMA\SISfiles\SisFilter.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_IDE_UDMA\SISfiles\waitwnd.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_LAN 1.16\inf2cat.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_LAN 1.16\refresh.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_LAN 1.16\Win2000\uninst.exe
Virus:W32/Parite.B Disinfected D:\Driver\SIS_LAN 1.16\WinXP\uninst.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\ALCCHKID.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\ALCRMV.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\ALCRMV9X.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\ALCUPD.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\Ap\AvRack2.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\Ap\RtlRack.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\SetCDfmt.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\wdm\SoundMan.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\win98gold\SoundMan.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\WinNT4\ALDAEMON.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_40.50\WinNT4\SoundMan.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\ALCCHKID.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\ALCRMV.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\ALCRMV9X.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\ALCUPD.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\Ap\AvRack2.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\Ap\RtlRack.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\SetCDfmt.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\wdm\SoundMan.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\win98\SoundMan.exe
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\WinNT4\ALDAEMON.EXE
Virus:W32/Parite.B Disinfected D:\Driver\Sound\Vers_50.60\WinNT4\SoundMan.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\USB20.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\AR\Q312370_WXP_SP1_x86_ARA.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\BR\Q312370_WXP_SP1_x86_PTB.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\CN\Q312370_WXP_SP1_x86_CHS.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\CS\Q312370_WXP_SP1_x86_CSY.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\DA\Q312370_WXP_SP1_x86_DAN.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\DE\Q312370_WXP_SP1_x86_DEU.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\EL\Q312370_WXP_SP1_x86_ELL.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\EN\Q312370_WXP_SP1_x86_ENU.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\ES\Q312370_WXP_SP1_x86_ESN.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\FI\Q312370_WXP_SP1_x86_FIN.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\FR\Q312370_WXP_SP1_x86_FRA.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\HE\Q312370_WXP_SP1_x86_HEB.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\HU\Q312370_WXP_SP1_x86_HUN.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\IT\Q312370_WXP_SP1_x86_ITA.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\JA\Q312370_WXP_SP1_x86_JPN.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\KO\Q312370_WXP_SP1_x86_KOR.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\NL\Q312370_WXP_SP1_x86_NLD.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\NO\Q312370_WXP_SP1_x86_NOR.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\PL\Q312370_WXP_SP1_x86_PLK.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\PT\Q312370_WXP_SP1_x86_PTG.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\RU\Q312370_WXP_SP1_x86_RUS.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\SV\Q312370_WXP_SP1_x86_SVE.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\TR\Q312370_WXP_SP1_x86_TRK.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB 2.0\WINXP\QFE\TW\Q312370_WXP_SP1_x86_CHT.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB Memory Drive MFormat 1.04\mFormat.exe
Virus:W32/Parite.B Disinfected D:\Driver\USB Memory Drive MFormat 1.04\UTI_DIR\passid.exe
Virus:W32/Parite.B Disinfected D:\Driver\VGA ATI\Version 7414C\checkver.exe
Virus:W32/Parite.B Disinfected D:\Tools\Acrobat Reader 5.0.5\Danish\ar505dan.exe
Virus:W32/Parite.B Disinfected D:\Tools\Acrobat Reader 5.0.5\Dutch\ar505nld.exe
Virus:W32/Parite.B Disinfected D:\Tools\Acrobat Reader 5.0.5\English\ar505enu.exe
Virus:W32/Parite.B Disinfected D:\Tools\Acrobat Reader 5.0.5\Finnland\ar505suo.exe
Virus:W32/Parite.B Disinfected D:\Tools\Acrobat Reader 5.0.5\French\ar505fra.exe
Virus:W32/Parite.B Disinfected D:\Tools\Acrobat Reader 5.0.5\German\ar505deu.exe
Virus:W32/Parite.B Disinfected D:\Tools\Acrobat Reader 5.0.5\Italian\ar505ita.exe
Virus:W32/Parite.B Disinfected D:\Tools\Acrobat Reader 5.0.5\Spain\ar505esp.exe
Virus:W32/Parite.B Disinfected D:\Tools\ATI Demos\Animusic\ATI-9700-PipeDream-Demo-v1.0.exe
Virus:W32/Parite.B Disinfected D:\Tools\ATI Demos\CarPaint\ATI-9700-CarPaint-Demo-v1.0.exe
Virus:W32/Parite.B Disinfected D:\Tools\ATI Demos\Natural Light\ATI-9700-DebevecRNL-Demo-v1.0.exe
Virus:W32/Parite.B Disinfected D:\Tools\ATI Demos\Screensaver\ATI-9700-Bacteria-SS-v1.0.exe
Virus:W32/Parite.B Disinfected D:\Tools\DivX Video\DivX502Bundle.exe
Virus:W32/Parite.B Disinfected D:\Tools\Media Player 9\English\WinXP\MPSetupXP.exe
Virus:W32/Parite.B Disinfected D:\Tools\Media Player 9\German\WinXP\mpsetupXP.exe
Virus:W32/Parite.B Disinfected D:\Tools\Medion PowerCinema\MShow\_ISDel.exe
Virus:W32/Parite.B Disinfected D:\Tools\Medion PowerCinema\MusicMatch\Deu\MMSetup.exe
Virus:W32/Parite.B Disinfected D:\Tools\Medion PowerCinema\MusicMatch\Enu\MMSetup.exe
Virus:W32/Parite.B Disinfected D:\Tools\Medion PowerCinema\MusicMatch\Esp\MMSetup.exe
Virus:W32/Parite.B Disinfected D:\Tools\Medion PowerCinema\MusicMatch\Fra\MMSetup.exe
Virus:W32/Parite.B Disinfected D:\Tools\Medion PowerCinema\PCinema\DriverSetup.exe
Virus:W32/Parite.B Disinfected D:\Tools\Medion PowerCinema\PDir\Wizard\PXENGINE.EXE
Virus:W32/Parite.B Disinfected D:\Tools\Medion PowerCinema\VLM\DXMEDIA.EXE
Virus:W32/Parite.B Disinfected D:\Tools\Medion PowerCinema\VLM\_ISDel.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\EasyWrite\NeroCheck.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\InCD\vsn95\InCD.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\InCD\vsnnt\InCD.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\InCD\vsnnt\NeroCheck.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\CoverDesigner\CoverDes.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\instmsia.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\instmsiw.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Nero\Misc\NeroCheck.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Nero\Misc\NeroImageDriveInst.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Nero\nero.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Nero\NeroCmd.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Nero\WaveEditor\WaveEdit.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Nero ToolKit\CDSpeed.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Nero ToolKit\DriveSpeed.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Nero ToolKit\InfoTool.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\1.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\10.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\2.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\3.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\4.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\5.scr
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\6.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\7.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\8.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\9.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\ACDSee 9.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Adobe Photoshop 9 full.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Ahead Nero 7.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Kaspersky Antivirus 5.0
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\KAV 5.0
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Matrix 3 Revolution English Subtitles.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Microsoft Office 2003 Crack, Working!.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Microsoft Office XP working Crack, Keygen.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Opera 8 New!.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\[bleep] pics arhive, xxx.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\[bleep] Screensaver.scr
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\[bleep], sex, oral, anal cool, awesome!!.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Serials.txt.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\WinAmp 5 Pro Keygen Crack Update.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\WinAmp 6 New!.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Windown Longhorn Beta Leak.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\Windows Sourcecode update.doc.exe
Virus:W32/Bagle.BC.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Nero55\Shared\XXX hardcore images.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\NeroBurnRights\NeroBurnRights.exe
Virus:W32/Parite.B Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Player\NeroMediaPlayer\NeroMediaPlayer.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Player\Shared\1.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Player\Shared\10.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Player\Shared\2.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Player\Shared\3.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Player\Shared\4.exe
Virus:W32/Bagle.BL.worm Disinfected D:\Tools\Nero Burning ROM 5.5.10.7\Player\Shared\5.scr
  • 0

#8
don77
Posted 17 May 2005 - 06:35 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

the only thing is I am still getting grey popups telling me about registry errors or whatever.


Have you been getting these all along ? what exactly do they say ?
  • 0

#9
eigelb
Posted 18 May 2005 - 02:31 AM

eigelb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Yes right from the beginning even before the bluescreen. They are always a bit different, made up to look like Windows popups and they tell me that my computer has problems and I should visit websites that go www.winregfix.com or patch-up.com or something like that, sometimes they also advertise "the hottest adult entertainment". They appear about 10-20 minutes after logging on to the internet and then increase their reappearances. Is it a bad sign?
  • 0

#10
don77
Posted 18 May 2005 - 04:45 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
  • Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443
  • Unzip/extract the files inside to a folder on your desktop.
  • Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
  • Then post the results here please, along with the new HijackThis log.

  • 0

Advertisements

#11
eigelb
Posted 19 May 2005 - 03:52 PM

eigelb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Alright here we are:


Microsoft Windows XP [Version 5.1.2600]
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: C0F6-F3B6

Verzeichnis von C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: C0F6-F3B6

Verzeichnis von C:\WINDOWS\system32

22.06.2000 11:43 3.638 favicon[1].ico
01.08.2001 15:20 1.758 OemLinkIcon.ico
2 Datei(en) 5.396 Bytes
0 Verzeichnis(se), 64.113.635.328 Bytes frei

»»»»»»»»»»»»»»»»»»»»»»»».

Is this the thing? I am sorry that some of it is in German, but nothing essential I think.

Logfile of HijackThis v1.99.1
Scan saved at 23:51:06, on 19.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Messenger\MSMSGS.EXE
C:\Programme\AOL 9.0\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\DitExp.exe
C:\Programme\AOL 9.0\waol.exe
C:\Programme\AOL 9.0\shellmon.exe
C:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aldi.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\MSMSGS.EXE" /background
O4 - Startup: ubisoft register.lnk = C:\Programme\Ubi Soft\Register\schedule.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: MedionShop - {01E9CF82-AE9D-42BA-A629-B23D51A4B86B} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1155BEB9-BE73-4757-9CC1-20170BC0A96A}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1155BEB9-BE73-4757-9CC1-20170BC0A96A}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Do you know what the problem is? Thank you very much for your patience.
  • 0

#12
don77
Posted 19 May 2005 - 07:07 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot your machine and post back the ewido .txt log file
  • 0

#13
eigelb
Posted 20 May 2005 - 04:55 AM

eigelb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
---------------------------------------------------------
ewido security suite - Scan Report
---------------------------------------------------------

+ Erstellt am: 12:50:32, 20.05.2005
+ Report-Checksumme: 98110323

+ Datum der Signaturen: 20.05.2005
+ Version der Scanengine: v3.0

+ Suchdauer: 12 min
+ Untersuchte Dateien: 58170
+ Geschwindigkeit: 76.57 Dateien/Sekunden
+ Infizierte Dateien: 3
+ Entfernte (Deleted) Dateien: 3
+ Unter Quarantäne gestellte Dateien: 3
+ Dateien, die nicht geöffnet werden konnten: 0
+ Dateien, die nicht gesäubert werden konnten: 0

+ Binder: Ja
+ Packer: Ja
+ Archive: Ja

+ Gescannt wurde:
C:\
D:\
E:\

+ Scanergebnis:
C:\Dokumente und Einstellungen\Mami\Lokale Einstellungen\Temp\se.dll -> Spyware.Hijacker.Generic -> Gesäubert mit Backup
C:\Dokumente und Einstellungen\Matern\Cookies\matern@advertising[1].txt -> Spyware.Tracking-Cookie -> Gesäubert mit Backup
C:\Dokumente und Einstellungen\Matern\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Gesäubert mit Backup


::Report Ende

Logfile of HijackThis v1.99.1
Scan saved at 12:52:48, on 20.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Messenger\MSMSGS.EXE
C:\Programme\AOL 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\AOL 9.0\waol.exe
C:\Programme\AOL 9.0\shellmon.exe
C:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\imapi.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aldi.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\MSMSGS.EXE" /background
O4 - Startup: ubisoft register.lnk = C:\Programme\Ubi Soft\Register\schedule.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: MedionShop - {01E9CF82-AE9D-42BA-A629-B23D51A4B86B} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1155BEB9-BE73-4757-9CC1-20170BC0A96A}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1155BEB9-BE73-4757-9CC1-20170BC0A96A}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
  • 0

#14
don77
Posted 20 May 2005 - 05:42 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Still getting pop ups ?

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
  • 0

#15
eigelb
Posted 20 May 2005 - 06:12 PM

eigelb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I haven't seen any popups lately. I think it's all over now. I downloaded the Service Pack 2 and also Firefox and I am going to use that I think. Here are the results:

BitDefender Online Scanner - Real Time Virus Report



Generated at: Sat, May 21, 2005 - 02:09:23


--------------------------------------------------------------------------------





Scan Info



Scanned Files
311653

Infected Files
0








Virus Detected



No virus found.

Thank you very much! :tazz:









--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP